Input variables for eos_cli_config_gen¶
This document describes the supported input variables for the role arista.avd.eos_cli_config_gen.
Since several data models have changed between AVD versions 3.x and 4.x, it is recommended to study the Porting Guide for AVD 4.x.x for existing deployments.
The input variables are documented below in tables and YAML.
All values are optional.
Note
All input variables are validated by a schema. If additional custom keys are desired, a key starting with an underscore _, will be ignored.
Warning
Available features and variables may vary by platforms, refer to documentation on arista.com for specifics.
Authentication¶
AAA accounting¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| aaa_accounting | Dictionary | ||||
| exec | Dictionary | ||||
| console | Dictionary | ||||
| type | String | Valid Values: - none- start-stop- stop-only |
|||
| group | String | Group Name | |||
| logging | Boolean | ||||
| default | Dictionary | ||||
| type | String | Valid Values: - none- start-stop- stop-only |
|||
| group | String | Group Name | |||
| logging | Boolean | ||||
| system | Dictionary | ||||
| default | Dictionary | ||||
| type | String | Valid Values: - none- start-stop- stop-only |
|||
| group | String | Group Name | |||
| dot1x | Dictionary | ||||
| default | Dictionary | ||||
| type | String | Valid Values: - start-stop- stop-only |
|||
| group | String | Group Name | |||
| commands | Dictionary | ||||
| console | List, items: Dictionary | ||||
| - commands | String | Privelege level ‘all’ or 0-15 | |||
| type | String | Valid Values: - none- start-stop- stop-only |
|||
| group | String | Group Name | |||
| logging | Boolean | ||||
| default | List, items: Dictionary | ||||
| - commands | String | Privelege level ‘all’ or 0-15 | |||
| type | String | Valid Values: - none- start-stop- stop-only |
|||
| group | String | Group Name | |||
| logging | Boolean |
aaa_accounting:
exec:
console:
type: <str; "none" | "start-stop" | "stop-only">
# Group Name
group: <str>
logging: <bool>
default:
type: <str; "none" | "start-stop" | "stop-only">
# Group Name
group: <str>
logging: <bool>
system:
default:
type: <str; "none" | "start-stop" | "stop-only">
# Group Name
group: <str>
dot1x:
default:
type: <str; "start-stop" | "stop-only">
# Group Name
group: <str>
commands:
console:
# Privelege level 'all' or 0-15
- commands: <str>
type: <str; "none" | "start-stop" | "stop-only">
# Group Name
group: <str>
logging: <bool>
default:
# Privelege level 'all' or 0-15
- commands: <str>
type: <str; "none" | "start-stop" | "stop-only">
# Group Name
group: <str>
logging: <bool>
AAA authentication¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| aaa_authentication | Dictionary | ||||
| login | Dictionary | ||||
| default | String | Login authentication method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group radius group MYGROUP local” |
|||
| console | String | Console authentication method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group radius group MYGROUP local” |
|||
| enable | Dictionary | ||||
| default | String | Enable authentication method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group radius group MYGROUP local” |
|||
| dot1x | Dictionary | ||||
| default | String | 802.1x authentication method(s) as a string. Examples: - “group radius” - “group MYGROUP group radius” |
|||
| policies | Dictionary | ||||
| on_failure_log | Boolean | ||||
| on_success_log | Boolean | ||||
| local | Dictionary | ||||
| allow_nopassword | Boolean | ||||
| lockout | Dictionary | ||||
| failure | Integer | Min: 1 Max: 255 |
|||
| duration | Integer | Min: 1 Max: 4294967295 |
|||
| window | Integer | Min: 1 Max: 4294967295 |
aaa_authentication:
login:
# Login authentication method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group radius group MYGROUP local"
default: <str>
# Console authentication method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group radius group MYGROUP local"
console: <str>
enable:
# Enable authentication method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group radius group MYGROUP local"
default: <str>
dot1x:
# 802.1x authentication method(s) as a string.
# Examples:
# - "group radius"
# - "group MYGROUP group radius"
default: <str>
policies:
on_failure_log: <bool>
on_success_log: <bool>
local:
allow_nopassword: <bool>
lockout:
failure: <int; 1-255>
duration: <int; 1-4294967295>
window: <int; 1-4294967295>
AAA authorization¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| aaa_authorization | Dictionary | ||||
| policy | Dictionary | ||||
| local_default_role | String | ||||
| exec | Dictionary | ||||
| default | String | Exec authorization method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group radius group MYGROUP local” |
|||
| config_commands | Boolean | ||||
| serial_console | Boolean | ||||
| dynamic | Dictionary | ||||
| dot1x_additional_groups | List, items: String | Min Length: 1 | |||
| - <str> | String | ||||
| commands | Dictionary | ||||
| all_default | String | Command authorization method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group tacacs+ group MYGROUP local |
|||
| privilege | List, items: Dictionary | ||||
| - level | String | Privilege level(s) 0-15 | |||
| default | String | Command authorization method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group tacacs+ group MYGROUP local” |
aaa_authorization:
policy:
local_default_role: <str>
exec:
# Exec authorization method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group radius group MYGROUP local"
default: <str>
config_commands: <bool>
serial_console: <bool>
dynamic:
dot1x_additional_groups: # >=1 items
- <str>
commands:
# Command authorization method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group tacacs+ group MYGROUP local
all_default: <str>
privilege:
# Privilege level(s) 0-15
- level: <str>
# Command authorization method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group tacacs+ group MYGROUP local"
default: <str>
AAA root¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| aaa_root | Dictionary | ||||
| secret | Dictionary | ||||
| sha512_password | String |
AAA server groups¶
Enable password¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| enable_password | Dictionary | ||||
| hash_algorithm | String | Valid Values: - md5- sha512 |
|||
| key | String | Must be the hash of the password using the specified algorithm. By default EOS salts the password, so the simplest is to generate the hash on an EOS device. |
IP radius source-interfaces¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| ip_radius_source_interfaces | List, items: Dictionary | ||||
| - name | String | Interface Name | |||
| vrf | String | VRF Name |
IP tacacs source-interfaces¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| ip_tacacs_source_interfaces | List, items: Dictionary | ||||
| - name | String | Interface name | |||
| vrf | String |
Local users¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| local_users | List, items: Dictionary | ||||
| - name | String | Required, Unique | Username | ||
| disabled | Boolean | If true, the user will be removed and all other settings are ignored. Useful for removing the default “admin” user. |
|||
| privilege | Integer | Min: 0 Max: 15 |
Initial privilege level with local EXEC authorization. |
||
| role | String | EOS RBAC Role to be assigned to the user such as “network-admin” or “network-operator” |
|||
| sha512_password | String | SHA512 Hash of Password Must be the hash of the password. By default EOS salts the password with the username, so the simplest is to generate the hash on an EOS device using the same username. |
|||
| no_password | Boolean | If set a password will not be configured for this user. “sha512_password” MUST not be defined for this user. |
|||
| ssh_key | String | ||||
| shell | String | Valid Values: - /bin/bash- /bin/sh- /sbin/nologin |
Specify shell for the user |
local_users:
# Username
- name: <str; required; unique>
# If true, the user will be removed and all other settings are ignored.
# Useful for removing the default "admin" user.
disabled: <bool>
# Initial privilege level with local EXEC authorization.
privilege: <int; 0-15>
# EOS RBAC Role to be assigned to the user such as "network-admin" or "network-operator"
role: <str>
# SHA512 Hash of Password
# Must be the hash of the password. By default EOS salts the password with the username, so the simplest is to generate the hash on an EOS device using the same username.
sha512_password: <str>
# If set a password will not be configured for this user. "sha512_password" MUST not be defined for this user.
no_password: <bool>
ssh_key: <str>
# Specify shell for the user
shell: <str; "/bin/bash" | "/bin/sh" | "/sbin/nologin">
Radius server¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| radius_server | Dictionary | ||||
| attribute_32_include_in_access_req | Dictionary | ||||
| hostname | Boolean | ||||
| format | String | Specify the format of the NAS-Identifier. If ‘hostname’ is set, this is ignored. | |||
| dynamic_authorization | Dictionary | ||||
| port | Integer | Min: 0 Max: 65535 |
TCP Port | ||
| tls_ssl_profile | String | Name of TLS profile | |||
| hosts | List, items: Dictionary | ||||
| - host | String | Required, Unique | Host IP address or name | ||
| vrf | String | ||||
| timeout | Integer | Min: 1 Max: 1000 |
|||
| retransmit | Integer | Min: 0 Max: 100 |
|||
| key | String | Encrypted key |
radius_server:
attribute_32_include_in_access_req:
hostname: <bool>
# Specify the format of the NAS-Identifier. If 'hostname' is set, this is ignored.
format: <str>
dynamic_authorization:
# TCP Port
port: <int; 0-65535>
# Name of TLS profile
tls_ssl_profile: <str>
hosts:
# Host IP address or name
- host: <str; required; unique>
vrf: <str>
timeout: <int; 1-1000>
retransmit: <int; 0-100>
# Encrypted key
key: <str>
Radius servers¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| radius_servers deprecated | List, items: Dictionary | This key is deprecated. Support will be removed in AVD version v5.0.0. Use radius_server.hosts instead. | |||
| - host | String | Host IP address or name | |||
| vrf | String | ||||
| key | String | Encrypted key |
Roles¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| roles | List, items: Dictionary | ||||
| - name | String | Role name | |||
| sequence_numbers | List, items: Dictionary | ||||
| - sequence | Integer | Sequence number | |||
| action | String | Valid Values: - permit- deny |
|||
| mode | String | “config”, “config-all”, “exec” or mode key as string |
|||
| command | String | Command as string |
Tacacs servers¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| tacacs_servers | Dictionary | ||||
| timeout | Integer | Min: 1 Max: 1000 |
Timeout in seconds | ||
| hosts | List, items: Dictionary | ||||
| - host | String | Host IP address or name | |||
| vrf | String | ||||
| key | String | Encrypted key | |||
| key_type | String | 7 |
Valid Values: - 0- 7- 8a |
||
| single_connection | Boolean | ||||
| timeout | Integer | Min: 1 Max: 1000 |
Timeout in seconds | ||
| policy_unknown_mandatory_attribute_ignore | Boolean |
tacacs_servers:
# Timeout in seconds
timeout: <int; 1-1000>
hosts:
# Host IP address or name
- host: <str>
vrf: <str>
# Encrypted key
key: <str>
key_type: <str; "0" | "7" | "8a"; default="7">
single_connection: <bool>
# Timeout in seconds
timeout: <int; 1-1000>
policy_unknown_mandatory_attribute_ignore: <bool>
ACLs¶
IP Extended access-lists¶
AVD currently supports two different data models for extended ACLs:
- The legacy
access_listsdata model, for compatibility with existing deployments - The improved
ip_access_listsdata model, for access to more EOS features
Both data models can coexists without conflicts, as different keys are used: access_lists vs ip_access_lists.
Access list names must be unique.
The legacy data model supports simplified ACL definition with sequence to action mapping:
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| access_lists | List, items: Dictionary | ||||
| - name | String | Required, Unique | Access-list Name | ||
| counters_per_entry | Boolean | ||||
| sequence_numbers | List, items: Dictionary | Required | |||
| - sequence | Integer | Required, Unique | Sequence ID | ||
| action | String | Required | Action as string Example: “deny ip any any” |
The improved data model has a more sophisticated design documented below:
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| ip_access_lists | List, items: Dictionary | ||||
| - name | String | Required, Unique | Access-list Name | ||
| counters_per_entry | Boolean | ||||
| entries | List, items: Dictionary | ACL Entries | |||
| - sequence | Integer | ACL entry sequence number. |
|||
| remark | String | Comment up to 100 characters. If remark is defined, other keys in acl entry will be ignored. |
|||
| action | String | Valid Values: - permit- deny |
ACL action. Required for standard entry. |
||
| protocol | String | ip, tcp, udp, icmp or other protocol name or number. Required for standard entry. |
|||
| source | String | any, A.B.C.D/E or A.B.C.D. A.B.C.D without a mask means host. Required for standard entry. |
|||
| source_ports_match | String | eq |
Valid Values: - eq- gt- lt- neq- range |
||
| source_ports | List, items: String | ||||
| - <str> | String | TCP/UDP source port name or number. | |||
| destination | String | any, A.B.C.D/E or A.B.C.D. A.B.C.D without a mask means host. Required for standard entry. |
|||
| destination_ports_match | String | eq |
Valid Values: - eq- gt- lt- neq- range |
||
| destination_ports | List, items: String | ||||
| - <str> | String | TCP/UDP destination port name or number. | |||
| tcp_flags | List, items: String | ||||
| - <str> | String | TCP Flag Name | |||
| fragments | Boolean | Match non-head fragment packets. | |||
| log | Boolean | Log matches against this rule. | |||
| ttl | Integer | Min: 0 Max: 255 |
TTL value | ||
| ttl_match | String | eq |
Valid Values: - eq- gt- lt- neq |
||
| icmp_type | String | Message type name/number for ICMP packets. | |||
| icmp_code | String | Message code for ICMP packets. | |||
| nexthop_group | String | nexthop-group name. | |||
| tracked | Boolean | Match packets in existing ICMP/UDP/TCP connections. | |||
| dscp | String | DSCP value or name. | |||
| vlan_number | Integer | ||||
| vlan_inner | Boolean | False |
|||
| vlan_mask | String | 0x000-0xFFF VLAN mask. |
ip_access_lists:
# Access-list Name
- name: <str; required; unique>
counters_per_entry: <bool>
# ACL Entries
entries:
# ACL entry sequence number.
- sequence: <int>
# Comment up to 100 characters.
# If remark is defined, other keys in acl entry will be ignored.
remark: <str>
# ACL action.
# Required for standard entry.
action: <str; "permit" | "deny">
# ip, tcp, udp, icmp or other protocol name or number.
# Required for standard entry.
protocol: <str>
# any, A.B.C.D/E or A.B.C.D.
# A.B.C.D without a mask means host.
# Required for standard entry.
source: <str>
source_ports_match: <str; "eq" | "gt" | "lt" | "neq" | "range"; default="eq">
source_ports:
# TCP/UDP source port name or number.
- <str>
# any, A.B.C.D/E or A.B.C.D.
# A.B.C.D without a mask means host.
# Required for standard entry.
destination: <str>
destination_ports_match: <str; "eq" | "gt" | "lt" | "neq" | "range"; default="eq">
destination_ports:
# TCP/UDP destination port name or number.
- <str>
tcp_flags:
# TCP Flag Name
- <str>
# Match non-head fragment packets.
fragments: <bool>
# Log matches against this rule.
log: <bool>
# TTL value
ttl: <int; 0-255>
ttl_match: <str; "eq" | "gt" | "lt" | "neq"; default="eq">
# Message type name/number for ICMP packets.
icmp_type: <str>
# Message code for ICMP packets.
icmp_code: <str>
# nexthop-group name.
nexthop_group: <str>
# Match packets in existing ICMP/UDP/TCP connections.
tracked: <bool>
# DSCP value or name.
dscp: <str>
vlan_number: <int>
vlan_inner: <bool; default=False>
# 0x000-0xFFF VLAN mask.
vlan_mask: <str>
The improved data model allows to limit the number of ACL entries that AVD is allowed to generate by defining ip_access_lists_max_entries.
Only normal entries under ip_access_lists will be counted, remarks will be ignored.
If the number is above the limit, the playbook will fail. This provides a simplified control over hardware utilization.
The numbers must be based on the hardware tests and AVD does not provide any guidance. Note that other EOS features may use the same hardware resources and affect the supported scale.
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| ip_access_lists_max_entries | Integer | Limit ACL entries defined under the ip_access_lists. |
IPv6 access-lists¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| ipv6_access_lists | List, items: Dictionary | ||||
| - name | String | Required, Unique | IPv6 Access-list Name | ||
| counters_per_entry | Boolean | ||||
| sequence_numbers | List, items: Dictionary | Required | |||
| - sequence | Integer | Required, Unique | Sequence ID | ||
| action | String | Required | Action as string Example: “deny ipv6 any any” |
IPv6 standard access-lists¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| ipv6_standard_access_lists | List, items: Dictionary | ||||
| - name | String | Required, Unique | Access-list Name | ||
| counters_per_entry | Boolean | ||||
| sequence_numbers | List, items: Dictionary | Required | |||
| - sequence | Integer | Required, Unique | Sequence ID | ||
| action | String | Required | Action as string Example: “deny ipv6 any any” |
MAC access-lists¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| mac_access_lists | List, items: Dictionary | ||||
| - name | String | Required, Unique | MAC Access-list Name | ||
| counters_per_entry | Boolean | ||||
| entries | List, items: Dictionary | ||||
| - sequence | Integer | ||||
| action | String |
Standard access-lists¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| standard_access_lists | List, items: Dictionary | ||||
| - name | String | Required, Unique | Access-list Name | ||
| counters_per_entry | Boolean | ||||
| sequence_numbers | List, items: Dictionary | Required | |||
| - sequence | Integer | Required, Unique | Sequence ID | ||
| action | String | Required | Action as string Example: “deny ip any any” |
Endpoint Security¶
Address-locking¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| address_locking | Dictionary | ||||
| dhcp_servers_ipv4 | List, items: String | ||||
| - <str> | String | DHCP server IPv4 address | |||
| disabled | Boolean | Disable IP locking on configured ports | |||
| leases | List, items: Dictionary | ||||
| - ip | String | Required | IP address | ||
| mac | String | Required | MAC address (hhhh.hhhh.hhhh or hh:hh:hh:hh:hh:hh) | ||
| local_interface | String | ||||
| locked_address | Dictionary | ||||
| expiration_mac_disabled | Boolean | Configure deauthorizing locked addresses upon MAC aging out | |||
| ipv4_enforcement_disabled | Boolean | Configure enforcement for locked IPv4 addresses | |||
| ipv6_enforcement_disabled | Boolean | Configure enforcement for locked IPv6 addresses |
address_locking:
dhcp_servers_ipv4:
# DHCP server IPv4 address
- <str>
# Disable IP locking on configured ports
disabled: <bool>
leases:
# IP address
- ip: <str; required>
# MAC address (hhhh.hhhh.hhhh or hh:hh:hh:hh:hh:hh)
mac: <str; required>
local_interface: <str>
locked_address:
# Configure deauthorizing locked addresses upon MAC aging out
expiration_mac_disabled: <bool>
# Configure enforcement for locked IPv4 addresses
ipv4_enforcement_disabled: <bool>
# Configure enforcement for locked IPv6 addresses
ipv6_enforcement_disabled: <bool>
Dot1x¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| dot1x | Dictionary | ||||
| system_auth_control | Boolean | ||||
| protocol_lldp_bypass | Boolean | ||||
| dynamic_authorization | Boolean | ||||
| mac_based_authentication | Dictionary | ||||
| delay | Integer | Min: 0 Max: 300 |
|||
| hold_period | Integer | Min: 1 Max: 300 |
|||
| radius_av_pair | Dictionary | ||||
| service_type | Boolean | ||||
| framed_mtu | Integer | Min: 68 Max: 9236 |
MAC security¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| mac_security | Dictionary | ||||
| license | Dictionary | ||||
| license_name | String | Required | |||
| license_key | String | Required | |||
| fips_restrictions | Boolean | ||||
| profiles | List, items: Dictionary | ||||
| - name | String | Required, Unique | Profile-Name | ||
| cipher | String | Valid Values: - aes128-gcm- aes128-gcm-xpn- aes256-gcm- aes256-gcm-xpn |
|||
| connection_keys | List, items: Dictionary | ||||
| - id | String | Required, Unique | |||
| encrypted_key | String | ||||
| fallback | Boolean | ||||
| mka | Dictionary | ||||
| key_server_priority | Integer | Min: 0 Max: 255 |
|||
| session | Dictionary | ||||
| rekey_period | Integer | Min: 30 Max: 100000 |
Rekey period in seconds | ||
| sci | Boolean | ||||
| l2_protocols | Dictionary | ||||
| ethernet_flow_control | Dictionary | ||||
| mode | String | Required | Valid Values: - encrypt- bypass |
||
| lldp | Dictionary | ||||
| mode | String | Required | Valid Values: - bypass- bypass unauthorized |
mac_security:
license:
license_name: <str; required>
license_key: <str; required>
fips_restrictions: <bool>
profiles:
# Profile-Name
- name: <str; required; unique>
cipher: <str; "aes128-gcm" | "aes128-gcm-xpn" | "aes256-gcm" | "aes256-gcm-xpn">
connection_keys:
- id: <str; required; unique>
encrypted_key: <str>
fallback: <bool>
mka:
key_server_priority: <int; 0-255>
session:
# Rekey period in seconds
rekey_period: <int; 30-100000>
sci: <bool>
l2_protocols:
ethernet_flow_control:
mode: <str; "encrypt" | "bypass"; required>
lldp:
mode: <str; "bypass" | "bypass unauthorized"; required>
Filters and policies¶
AS path¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| as_path | Dictionary | ||||
| regex_mode | String | Valid Values: - asn- string |
|||
| access_lists | List, items: Dictionary | ||||
| - name | String | Access List Name | |||
| entries | List, items: Dictionary | ||||
| - type | String | Valid Values: - permit- deny |
|||
| match | String | Regex To Match | |||
| origin | String | any |
Valid Values: - any- egp- igp- incomplete |
Class-maps¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| class_maps | Dictionary | ||||
| pbr | List, items: Dictionary | ||||
| - name | String | Required, Unique | Class-Map Name | ||
| ip | Dictionary | ||||
| access_group | String | Standard Access-List Name | |||
| qos | List, items: Dictionary | ||||
| - name | String | Required, Unique | Class-Map Name | ||
| vlan | String | VLAN value(s) or range(s) of VLAN values | |||
| cos | String | CoS value(s) or range(s) of CoS values | |||
| ip | Dictionary | ||||
| access_group | String | IPv4 Access-List Name | |||
| ipv6 | Dictionary | ||||
| access_group | String | IPv6 Access-List Name |
class_maps:
pbr:
# Class-Map Name
- name: <str; required; unique>
ip:
# Standard Access-List Name
access_group: <str>
qos:
# Class-Map Name
- name: <str; required; unique>
# VLAN value(s) or range(s) of VLAN values
vlan: <str>
# CoS value(s) or range(s) of CoS values
cos: <str>
ip:
# IPv4 Access-List Name
access_group: <str>
ipv6:
# IPv6 Access-List Name
access_group: <str>
Dynamic prefix lists¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| dynamic_prefix_lists | List, items: Dictionary | ||||
| - name | String | Dynamic prefix-list name | |||
| match_map | String | Route-map name | |||
| prefix_list | Dictionary | ||||
| ipv4 | String | Prefix-list name | |||
| ipv6 | String | Prefix-list name |
IP community lists¶
AVD currently supports two different data models for community lists:
- The legacy
community_listsdata model that can be used for compatibility with the existing deployments. - The improved
ip_community_listsdata model.
Both data models can coexist without conflicts, as different keys are used: community_lists vs ip_community_lists.
Community list names must be unique.
The legacy data model supports simplified community list definition that only allows a single action to be defined as string:
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| community_lists | List, items: Dictionary | ||||
| - name | String | Required, Unique | Community-list Name | ||
| action | String | Required | Action as string Example: “permit GSHUT 65123:123” |
The improved data model has a better design documented below:
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| ip_community_lists | List, items: Dictionary | Communities and regexp entries MUST not be configured in the same community-list |
|||
| - name | String | Required, Unique | IP Community-list Name | ||
| entries | List, items: Dictionary | Required | |||
| - action | String | Required | Valid Values: - permit- deny |
||
| communities | List, items: String | If defined, a standard community-list will be configured. Supported community strings (case insensitive): - GSHUT - internet - local-as - no-advertise - no-export - <1-4294967040> - aa:nn |
|||
| - <str> | String | ||||
| regexp | String | Regular Expression If defined, a regex community-list will be configured |
# Communities and regexp entries MUST not be configured in the same community-list
ip_community_lists:
# IP Community-list Name
- name: <str; required; unique>
entries: # required
- action: <str; "permit" | "deny"; required>
# If defined, a standard community-list will be configured.
# Supported community strings (case insensitive):
# - GSHUT
# - internet
# - local-as
# - no-advertise
# - no-export
# - <1-4294967040>
# - aa:nn
communities:
- <str>
# Regular Expression
# If defined, a regex community-list will be configured
regexp: <str>
IP extcommunity-lists¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| ip_extcommunity_lists | List, items: Dictionary | ||||
| - name | String | Required, Unique | Community-list Name | ||
| entries | List, items: Dictionary | Required | |||
| - type | String | Required | Valid Values: - permit- deny |
||
| extcommunities | String | Required | Communities as string Example: “65000:65000” |
IP extcommunity-lists-regexp¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| ip_extcommunity_lists_regexp | List, items: Dictionary | ||||
| - name | String | Required, Unique | Community-list Name | ||
| entries | List, items: Dictionary | Required | |||
| - type | String | Required | Valid Values: - permit- deny |
||
| regexp | String | Required | Regular Expression |
IPv6 prefix-lists¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| ipv6_prefix_lists | List, items: Dictionary | ||||
| - name | String | Required, Unique | Prefix-list Name | ||
| sequence_numbers | List, items: Dictionary | Required | |||
| - sequence | Integer | Required, Unique | Sequence ID | ||
| action | String | Required | Action as string Example: “permit 1b11:3a00:22b0:0082::/64 eq 128” |
Match list input¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| match_list_input | Dictionary | ||||
| string | List, items: Dictionary | ||||
| - name | String | Required, Unique | Match-list Name | ||
| sequence_numbers | List, items: Dictionary | Required | |||
| - sequence | Integer | Required, Unique | Sequence ID | ||
| match_regex | String | Required | Regular Expression |
Peer-filters¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| peer_filters | List, items: Dictionary | ||||
| - name | String | Required, Unique | Peer-filter Name | ||
| sequence_numbers | List, items: Dictionary | Required | |||
| - sequence | Integer | Required, Unique | Sequence ID | ||
| match | String | Required | Match as string Example: “as-range 1-100 result accept” |
Policy-maps¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| policy_maps | Dictionary | ||||
| pbr | List, items: Dictionary | PBR Policy-Maps | |||
| - name | String | Required, Unique | Policy-Map Name | ||
| classes | List, items: Dictionary | ||||
| - name | String | Required, Unique | Class Name | ||
| index | Integer | ||||
| drop | Boolean | ‘drop’ and ‘set’ are mutually exclusive | |||
| set | Dictionary | Set Nexthop ‘drop’ and ‘set’ are mutually exclusive |
|||
| nexthop | Dictionary | ||||
| ip_address | String | IPv4 or IPv6 Address | |||
| recursive | Boolean | ||||
| qos | List, items: Dictionary | QOS Policy-Maps | |||
| - name | String | Required, Unique | Policy-Map Name | ||
| classes | List, items: Dictionary | ||||
| - name | String | Required, Unique | Class Name | ||
| set | Dictionary | ||||
| cos | Integer | ||||
| dscp | String | ||||
| traffic_class | Integer | ||||
| drop_precedence | Integer |
policy_maps:
# PBR Policy-Maps
pbr:
# Policy-Map Name
- name: <str; required; unique>
classes:
# Class Name
- name: <str; required; unique>
index: <int>
# 'drop' and 'set' are mutually exclusive
drop: <bool>
# Set Nexthop
# 'drop' and 'set' are mutually exclusive
set:
nexthop:
# IPv4 or IPv6 Address
ip_address: <str>
recursive: <bool>
# QOS Policy-Maps
qos:
# Policy-Map Name
- name: <str; required; unique>
classes:
# Class Name
- name: <str; required; unique>
set:
cos: <int>
dscp: <str>
traffic_class: <int>
drop_precedence: <int>
Prefix-lists¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| prefix_lists | List, items: Dictionary | ||||
| - name | String | Required, Unique | Prefix-list Name | ||
| sequence_numbers | List, items: Dictionary | ||||
| - sequence | Integer | Required, Unique | Sequence ID | ||
| action | String | Required | Action as string Example: “permit 10.255.0.0/27 eq 32” |
Route-maps¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| route_maps | List, items: Dictionary | ||||
| - name | String | Required, Unique | Route-map Name | ||
| sequence_numbers | List, items: Dictionary | Required | |||
| - sequence | Integer | Required, Unique | Sequence ID | ||
| type | String | Required | Valid Values: - permit- deny |
||
| description | String | ||||
| match | List, items: String | List of “match” statements | |||
| - <str> | String | Match as string Example: “ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY” |
|||
| set | List, items: String | List of “set” statements | |||
| - <str> | String | Set as string Example: “origin incomplete” |
|||
| sub_route_map | String | Name of Sub-Route-map | |||
| continue | Dictionary | ||||
| enabled | Boolean | ||||
| sequence_number | Integer |
route_maps:
# Route-map Name
- name: <str; required; unique>
sequence_numbers: # required
# Sequence ID
- sequence: <int; required; unique>
type: <str; "permit" | "deny"; required>
description: <str>
# List of "match" statements
match:
# Match as string
# Example: "ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY"
- <str>
# List of "set" statements
set:
# Set as string
# Example: "origin incomplete"
- <str>
# Name of Sub-Route-map
sub_route_map: <str>
continue:
enabled: <bool>
sequence_number: <int>
Trackers¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| trackers | List, items: Dictionary | ||||
| - name | String | Required, Unique | Name of tracker object | ||
| interface | String | Required | Name of tracked interface | ||
| tracked_property | String | line-protocol |
Property to track |
Traffic policies¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| traffic_policies | Dictionary | ||||
| options | Dictionary | ||||
| counter_per_interface | Boolean | ||||
| field_sets | Dictionary | ||||
| ipv4 | List, items: Dictionary | ||||
| - name | String | Required, Unique | IPv4 Prefix Field Set Name | ||
| prefixes | List, items: String | ||||
| - <str> | String | IPv4 Prefix | |||
| ipv6 | List, items: Dictionary | ||||
| - name | String | Required, Unique | IPv6 Prefix Field Set Name | ||
| prefixes | List, items: String | ||||
| - <str> | String | IPv6 Prefix | |||
| ports | List, items: Dictionary | ||||
| - name | String | Required, Unique | L4 Port Field Set Name | ||
| port_range | String | Example: ‘10,20,80,440-450’ | |||
| policies | List, items: Dictionary | ||||
| - name | String | Required, Unique | Traffic Policy Name | ||
| matches | List, items: Dictionary | ||||
| - name | String | Required, Unique | Traffic Policy Item | ||
| type | String | Valid Values: - ipv4- ipv6 |
|||
| source | Dictionary | ||||
| prefixes | List, items: String | ||||
| - <str> | String | IP address or prefix | |||
| prefix_lists | List, items: String | Field-set prefix lists | |||
| - <str> | String | ||||
| destination | Dictionary | ||||
| prefixes | List, items: String | ||||
| - <str> | String | IP address or prefix | |||
| prefix_lists | List, items: String | Field-set prefix lists | |||
| - <str> | String | ||||
| ttl | String | TTL range | |||
| fragment | Dictionary | The ‘fragment’ command is not supported when ‘source port’ or ‘destination port’ command is configured |
|||
| offset | String | Fragment offset range | |||
| protocols | List, items: Dictionary | ||||
| - protocol | String | Required, Unique | |||
| src_port | String | Port range | |||
| dst_port | String | Port range | |||
| src_field | String | L4 port range field set | |||
| dst_field | String | L4 port range field set | |||
| flags | List, items: String | ||||
| - <str> | String | Valid Values: - established- initial |
|||
| icmp_type | List, items: String | ||||
| - <str> | String | ||||
| actions | Dictionary | ||||
| dscp | Integer | ||||
| traffic_class | Integer | Traffic class ID | |||
| count | String | Counter name | |||
| drop | Boolean | ||||
| log | Boolean | Only supported when action is set to drop | |||
| default_actions | Dictionary | ||||
| ipv4 | Dictionary | ||||
| dscp | Integer | ||||
| traffic_class | Integer | Traffic class ID | |||
| count | String | Counter name | |||
| drop | Boolean | ||||
| log | Boolean | Only supported when action is set to drop | |||
| ipv6 | Dictionary | ||||
| dscp | Integer | ||||
| traffic_class | Integer | Traffic class ID | |||
| count | String | Counter name | |||
| drop | Boolean | ||||
| log | Boolean | Only supported when action is set to drop |
traffic_policies:
options:
counter_per_interface: <bool>
field_sets:
ipv4:
# IPv4 Prefix Field Set Name
- name: <str; required; unique>
prefixes:
# IPv4 Prefix
- <str>
ipv6:
# IPv6 Prefix Field Set Name
- name: <str; required; unique>
prefixes:
# IPv6 Prefix
- <str>
ports:
# L4 Port Field Set Name
- name: <str; required; unique>
# Example: '10,20,80,440-450'
port_range: <str>
policies:
# Traffic Policy Name
- name: <str; required; unique>
matches:
# Traffic Policy Item
- name: <str; required; unique>
type: <str; "ipv4" | "ipv6">
source:
prefixes:
# IP address or prefix
- <str>
# Field-set prefix lists
prefix_lists:
- <str>
destination:
prefixes:
# IP address or prefix
- <str>
# Field-set prefix lists
prefix_lists:
- <str>
# TTL range
ttl: <str>
# The 'fragment' command is not supported when 'source port'
# or 'destination port' command is configured
fragment:
# Fragment offset range
offset: <str>
protocols:
- protocol: <str; required; unique>
# Port range
src_port: <str>
# Port range
dst_port: <str>
# L4 port range field set
src_field: <str>
# L4 port range field set
dst_field: <str>
flags:
- <str; "established" | "initial">
icmp_type:
- <str>
actions:
dscp: <int>
# Traffic class ID
traffic_class: <int>
# Counter name
count: <str>
drop: <bool>
# Only supported when action is set to drop
log: <bool>
default_actions:
ipv4:
dscp: <int>
# Traffic class ID
traffic_class: <int>
# Counter name
count: <str>
drop: <bool>
# Only supported when action is set to drop
log: <bool>
ipv6:
dscp: <int>
# Traffic class ID
traffic_class: <int>
# Counter name
count: <str>
drop: <bool>
# Only supported when action is set to drop
log: <bool>
Interfaces¶
DPS interfaces¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| dps_interfaces | List, items: Dictionary | Min Length: 1 Max Length: 1 |
|||
| - name | String | Required, Unique | Valid Values: - Dps1 |
“Dps1” is currently the only supported interface. | |
| description | String | ||||
| shutdown | Boolean | ||||
| mtu | Integer | Min: 68 Max: 65535 |
Maximum Transmission Unit in bytes. | ||
| ip_address | String | IPv4 address/mask. | |||
| flow_tracker | Dictionary | ||||
| sampled | String | Sampled flow tracker name. | |||
| hardware | String | Hardware flow tracker name, | |||
| tcp_mss_ceiling | Dictionary | ||||
| ipv4 | Integer | Min: 64 Max: 65495 |
Segment Size for IPv4. | ||
| ipv6 | Integer | Min: 64 Max: 65475 |
Segment Size for IPv6. | ||
| direction | String | Valid Values: - ingress- egress |
Optional direction (‘ingress’, ‘egress’) for tcp mss ceiling. | ||
| eos_cli | String | Multiline String with EOS CLI rendered directly on the Dps interface in the final EOS configuration. |
dps_interfaces: # 1-1 items
# "Dps1" is currently the only supported interface.
- name: <str; "Dps1"; required; unique>
description: <str>
shutdown: <bool>
# Maximum Transmission Unit in bytes.
mtu: <int; 68-65535>
# IPv4 address/mask.
ip_address: <str>
flow_tracker:
# Sampled flow tracker name.
sampled: <str>
# Hardware flow tracker name,
hardware: <str>
tcp_mss_ceiling:
# Segment Size for IPv4.
ipv4: <int; 64-65495>
# Segment Size for IPv6.
ipv6: <int; 64-65475>
# Optional direction ('ingress', 'egress') for tcp mss ceiling.
direction: <str; "ingress" | "egress">
# Multiline String with EOS CLI rendered directly on the Dps interface in the final EOS configuration.
eos_cli: <str>
Errdisable¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| errdisable | Dictionary | ||||
| detect | Dictionary | ||||
| causes | List, items: String | ||||
| - <str> | String | Valid Values: - acl- arp-inspection- dot1x- link-change- tapagg- xcvr-misconfigured- xcvr-overheat- xcvr-power-unsupported |
|||
| recovery | Dictionary | ||||
| causes | List, items: String | ||||
| - <str> | String | Valid Values: - arp-inspection- bpduguard- dot1x- hitless-reload-down- lacp-rate-limit- link-flap- no-internal-vlan- portchannelguard- portsec- speed-misconfigured- tap-port-init- tapagg- uplink-failure-detection- xcvr-misconfigured- xcvr-overheat- xcvr-power-unsupported- xcvr-unsupported |
|||
| interval | Integer | 300 |
Min: 30 Max: 86400 |
Interval in seconds |
errdisable:
detect:
causes:
- <str; "acl" | "arp-inspection" | "dot1x" | "link-change" | "tapagg" | "xcvr-misconfigured" | "xcvr-overheat" | "xcvr-power-unsupported">
recovery:
causes:
- <str; "arp-inspection" | "bpduguard" | "dot1x" | "hitless-reload-down" | "lacp-rate-limit" | "link-flap" | "no-internal-vlan" | "portchannelguard" | "portsec" | "speed-misconfigured" | "tap-port-init" | "tapagg" | "uplink-failure-detection" | "xcvr-misconfigured" | "xcvr-overheat" | "xcvr-power-unsupported" | "xcvr-unsupported">
# Interval in seconds
interval: <int; 30-86400; default=300>
Ethernet interfaces¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| ethernet_interfaces | List, items: Dictionary | ||||
| - name | String | Required, Unique | |||
| description | String | ||||
| shutdown | Boolean | ||||
| load_interval | Integer | Min: 0 Max: 600 |
Interval in seconds for updating interface counters” | ||
| speed | String | Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed>. |
|||
| mtu | Integer | Min: 68 Max: 65535 |
|||
| l2_mtu | Integer | Min: 68 Max: 65535 |
“l2_mtu” should only be defined for platforms supporting the “l2 mtu” CLI |
||
| l2_mru | Integer | Min: 68 Max: 65535 |
“l2_mru” should only be defined for platforms supporting the “l2 mru” CLI |
||
| vlans | String | List of switchport vlans as string For a trunk port this would be a range like “1-200,300” For an access port this would be a single vlan “123” |
|||
| native_vlan | Integer | ||||
| native_vlan_tag | Boolean | If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence | |||
| mode | String | Valid Values: - access- dot1q-tunnel- trunk- trunk phone |
|||
| phone | Dictionary | ||||
| trunk | String | Valid Values: - tagged- tagged phone- untagged- untagged phone |
|||
| vlan | Integer | Min: 1 Max: 4094 |
|||
| l2_protocol | Dictionary | ||||
| encapsulation_dot1q_vlan | Integer | Vlan tag to configure on sub-interface | |||
| forwarding_profile | String | L2 protocol forwarding profile | |||
| trunk_groups | List, items: String | ||||
| - <str> | String | ||||
| type | String | Valid Values: - routed- switched- l3dot1q- l2dot1q- port-channel-member |
l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed. Interface will not be listed in device documentation, unless “type” is set. |
||
| snmp_trap_link_change | Boolean | ||||
| address_locking | Dictionary | ||||
| ipv4 | Boolean | Enable address locking for IPv4 | |||
| ipv6 | Boolean | Enable address locking for IPv6 | |||
| flowcontrol | Dictionary | ||||
| received | String | Valid Values: - desired- on- off |
|||
| vrf | String | VRF name | |||
| flow_tracker | Dictionary | ||||
| sampled | String | Sampled flow tracker name. | |||
| hardware | String | Hardware flow tracker name. | |||
| error_correction_encoding | Dictionary | ||||
| enabled | Boolean | True |
|||
| fire_code | Boolean | ||||
| reed_solomon | Boolean | ||||
| link_tracking_groups | List, items: Dictionary | ||||
| - name | String | Required, Unique | Group name | ||
| direction | String | Valid Values: - upstream- downstream |
|||
| evpn_ethernet_segment | Dictionary | ||||
| identifier | String | EVPN Ethernet Segment Identifier (Type 1 format) | |||
| redundancy | String | Valid Values: - all-active- single-active |
|||
| designated_forwarder_election | Dictionary | ||||
| algorithm | String | Valid Values: - modulus- preference |
|||
| preference_value | Integer | Min: 0 Max: 65535 |
Preference_value is only used when “algorithm” is “preference” | ||
| dont_preempt | Boolean | Dont_preempt is only used when “algorithm” is “preference” | |||
| hold_time | Integer | ||||
| subsequent_hold_time | Integer | ||||
| candidate_reachability_required | Boolean | ||||
| mpls | Dictionary | ||||
| shared_index | Integer | Min: 1 Max: 1024 |
|||
| tunnel_flood_filter_time | Integer | ||||
| route_target | String | EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx | |||
| encapsulation_dot1q_vlan | Integer | VLAN tag to configure on sub-interface | |||
| encapsulation_vlan | Dictionary | ||||
| client | Dictionary | ||||
| dot1q | Dictionary | ||||
| vlan | Integer | Client VLAN ID | |||
| outer | Integer | Client Outer VLAN ID | |||
| inner | Integer | Client Inner VLAN ID | |||
| unmatched | Boolean | ||||
| network | Dictionary | Network encapsulations are all optional and skipped if using client unmatched | |||
| dot1q | Dictionary | ||||
| vlan | Integer | Network VLAN ID | |||
| outer | Integer | Network outer VLAN ID | |||
| inner | Integer | Network inner VLAN ID | |||
| client | Boolean | ||||
| vlan_id | Integer | Min: 1 Max: 4094 |
|||
| ip_address | String | IPv4 address/mask or “dhcp” | |||
| ip_address_secondaries | List, items: String | ||||
| - <str> | String | ||||
| dhcp_client_accept_default_route | Boolean | Install default-route obtained via DHCP | |||
| dhcp_server_ipv4 | Boolean | Enable IPv4 DHCP server. | |||
| dhcp_server_ipv6 | Boolean | Enable IPv6 DHCP server. | |||
| ip_helpers | List, items: Dictionary | ||||
| - ip_helper | String | Required, Unique | |||
| source_interface | String | Source interface name | |||
| vrf | String | VRF name | |||
| ip_nat | Dictionary | ||||
| service_profile | String | NAT interface profile. | |||
| destination | Dictionary | ||||
| dynamic | List, items: Dictionary | ||||
| - access_list | String | Required, Unique | |||
| comment | String | ||||
| pool_name | String | Required | |||
| priority | Integer | Min: 0 Max: 4294967295 |
|||
| static | List, items: Dictionary | ||||
| - access_list | String | ‘access_list’ and ‘group’ are mutual exclusive | |||
| comment | String | ||||
| direction | String | Valid Values: - egress- ingress |
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform. EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW. |
||
| group | Integer | Min: 1 Max: 65535 |
‘access_list’ and ‘group’ are mutual exclusive | ||
| original_ip | String | Required, Unique | IPv4 address | ||
| original_port | Integer | Min: 1 Max: 65535 |
|||
| priority | Integer | Min: 0 Max: 4294967295 |
|||
| protocol | String | Valid Values: - udp- tcp |
|||
| translated_ip | String | Required | IPv4 address | ||
| translated_port | Integer | Min: 1 Max: 65535 |
requires ‘original_port’ | ||
| source | Dictionary | ||||
| dynamic | List, items: Dictionary | ||||
| - access_list | String | Required, Unique | |||
| comment | String | ||||
| nat_type | String | Required | Valid Values: - overload- pool- pool-address-only- pool-full-cone |
||
| pool_name | String | required if ‘nat_type’ is pool, pool-address-only or pool-full-cone ignored if ‘nat_type’ is overload |
|||
| priority | Integer | Min: 0 Max: 4294967295 |
|||
| static | List, items: Dictionary | ||||
| - access_list | String | ‘access_list’ and ‘group’ are mutual exclusive | |||
| comment | String | ||||
| direction | String | Valid Values: - egress- ingress |
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform. EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW. |
||
| group | Integer | Min: 1 Max: 65535 |
‘access_list’ and ‘group’ are mutual exclusive | ||
| original_ip | String | Required, Unique | IPv4 address | ||
| original_port | Integer | Min: 1 Max: 65535 |
|||
| priority | Integer | Min: 0 Max: 4294967295 |
|||
| protocol | String | Valid Values: - udp- tcp |
|||
| translated_ip | String | Required | IPv4 address | ||
| translated_port | Integer | Min: 1 Max: 65535 |
requires ‘original_port’ | ||
| ipv6_enable | Boolean | ||||
| ipv6_address | String | ||||
| ipv6_address_link_local | String | Link local IPv6 address/mask | |||
| ipv6_nd_ra_disabled | Boolean | ||||
| ipv6_nd_managed_config_flag | Boolean | ||||
| ipv6_nd_prefixes | List, items: Dictionary | ||||
| - ipv6_prefix | String | Required, Unique | |||
| valid_lifetime | String | Infinite or lifetime in seconds | |||
| preferred_lifetime | String | Infinite or lifetime in seconds | |||
| no_autoconfig_flag | Boolean | ||||
| ipv6_dhcp_relay_destinations | List, items: Dictionary | ||||
| - address | String | Required, Unique | DHCP server’s IPv6 address | ||
| vrf | String | ||||
| local_interface | String | Local interface to communicate with DHCP server - mutually exclusive to source_address | |||
| source_address | String | Source IPv6 address to communicate with DHCP server - mutually exclusive to local_interface | |||
| link_address | String | Override the default link address specified in the relayed DHCP packet | |||
| access_group_in | String | Access list name | |||
| access_group_out | String | Access list name | |||
| ipv6_access_group_in | String | IPv6 access list name | |||
| ipv6_access_group_out | String | IPv6 access list name | |||
| mac_access_group_in | String | MAC access list name | |||
| mac_access_group_out | String | MAC access list name | |||
| multicast | Dictionary | Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both | |||
| ipv4 | Dictionary | ||||
| boundaries | List, items: Dictionary | ||||
| - boundary | String | ACL name or multicast IP subnet | |||
| out | Boolean | ||||
| static | Boolean | ||||
| ipv6 | Dictionary | ||||
| boundaries | List, items: Dictionary | ||||
| - boundary | String | ACL name or multicast IP subnet | |||
| static | Boolean | ||||
| ospf_network_point_to_point | Boolean | ||||
| ospf_area | String | ||||
| ospf_cost | Integer | ||||
| ospf_authentication | String | Valid Values: - none- simple- message-digest |
|||
| ospf_authentication_key | String | Encrypted password - only type 7 supported | |||
| ospf_message_digest_keys | List, items: Dictionary | ||||
| - id | Integer | Required, Unique | |||
| hash_algorithm | String | Valid Values: - md5- sha1- sha256- sha384- sha512 |
|||
| key | String | Encrypted password - only type 7 supported | |||
| pim | Dictionary | ||||
| ipv4 | Dictionary | ||||
| dr_priority | Integer | Min: 0 Max: 429467295 |
|||
| sparse_mode | Boolean | ||||
| mac_security | Dictionary | ||||
| profile | String | ||||
| channel_group | Dictionary | ||||
| id | Integer | ||||
| mode | String | Valid Values: - on- active- passive |
|||
| isis_enable | String | ISIS instance | |||
| isis_passive | Boolean | ||||
| isis_metric | Integer | ||||
| isis_network_point_to_point | Boolean | ||||
| isis_circuit_type | String | Valid Values: - level-1-2- level-1- level-2 |
|||
| isis_hello_padding | Boolean | ||||
| isis_authentication_mode | String | Valid Values: - text- md5 |
|||
| isis_authentication_key | String | Type-7 encrypted password | |||
| poe | Dictionary | ||||
| disabled | Boolean | False |
Disable PoE on a POE capable port. PoE is enabled on all ports that support it by default in EOS. | ||
| priority | String | Valid Values: - critical- high- medium- low |
Prioritize a port’s power in the event that one of the switch’s power supplies loses power | ||
| reboot | Dictionary | Set the PoE power behavior for a PoE port when the system is rebooted | |||
| action | String | Valid Values: - maintain- power-off |
PoE action for interface | ||
| link_down | Dictionary | Set the PoE power behavior for a PoE port when the port goes down | |||
| action | String | Valid Values: - maintain- power-off |
PoE action for interface | ||
| power_off_delay | Integer | Min: 1 Max: 86400 |
Number of seconds to delay shutting the power off after a link down event occurs. Default value is 5 seconds in EOS. | ||
| shutdown | Dictionary | Set the PoE power behavior for a PoE port when the port is admin down | |||
| action | String | Valid Values: - maintain- power-off |
PoE action for interface | ||
| limit | Dictionary | Override the hardware-negotiated power limit using either wattage or a power class. Note that if using a power class, AVD will automatically convert the class value to the wattage value corresponding to that power class. | |||
| class | Integer | Min: 0 Max: 8 |
|||
| watts | String | ||||
| fixed | Boolean | Set to ignore hardware classification | |||
| negotiation_lldp | Boolean | Disable to prevent port from negotiating power with powered devices over LLDP. Enabled by default in EOS. | |||
| legacy_detect | Boolean | Allow a subset of legacy devices to work with the PoE switch. Disabled by default in EOS because it can cause false positive detections. | |||
| ptp | Dictionary | ||||
| enable | Boolean | ||||
| announce | Dictionary | ||||
| interval | Integer | ||||
| timeout | Integer | ||||
| delay_req | Integer | ||||
| delay_mechanism | String | Valid Values: - e2e- p2p |
|||
| sync_message | Dictionary | ||||
| interval | Integer | ||||
| role | String | Valid Values: - master- dynamic |
|||
| vlan | String | VLAN can be ‘all’ or list of vlans as string | |||
| transport | String | Valid Values: - ipv4- ipv6- layer2 |
|||
| profile | String | Interface profile | |||
| storm_control | Dictionary | ||||
| all | Dictionary | ||||
| level | String | Configure maximum storm-control level | |||
| unit | String | percent |
Valid Values: - percent- pps |
Optional field and is hardware dependent | |
| broadcast | Dictionary | ||||
| level | String | Configure maximum storm-control level | |||
| unit | String | percent |
Valid Values: - percent- pps |
Optional field and is hardware dependent | |
| multicast | Dictionary | ||||
| level | String | Configure maximum storm-control level | |||
| unit | String | percent |
Valid Values: - percent- pps |
Optional field and is hardware dependent | |
| unknown_unicast | Dictionary | ||||
| level | String | Configure maximum storm-control level | |||
| unit | String | percent |
Valid Values: - percent- pps |
Optional field and is hardware dependent | |
| logging | Dictionary | ||||
| event | Dictionary | ||||
| link_status | Boolean | ||||
| congestion_drops | Boolean | ||||
| spanning_tree | Boolean | ||||
| storm_control_discards | Boolean | ||||
| lldp | Dictionary | ||||
| transmit | Boolean | ||||
| receive | Boolean | ||||
| ztp_vlan | Integer | ZTP vlan number | |||
| trunk_private_vlan_secondary | Boolean | ||||
| pvlan_mapping | String | List of vlans as string | |||
| vlan_translations | List, items: Dictionary | ||||
| - from | String | List of vlans as string (only one vlan if direction is “both”) | |||
| to | Integer | VLAN ID | |||
| direction | String | both |
Valid Values: - in- out- both |
||
| dot1x | Dictionary | ||||
| port_control | String | Valid Values: - auto- force-authorized- force-unauthorized |
|||
| port_control_force_authorized_phone | Boolean | ||||
| reauthentication | Boolean | ||||
| pae | Dictionary | ||||
| mode | String | Valid Values: - authenticator |
|||
| authentication_failure | Dictionary | ||||
| action | String | Valid Values: - allow- drop |
|||
| allow_vlan | Integer | Min: 1 Max: 4094 |
|||
| host_mode | Dictionary | ||||
| mode | String | Valid Values: - multi-host- single-host |
|||
| multi_host_authenticated | Boolean | ||||
| mac_based_authentication | Dictionary | ||||
| enabled | Boolean | ||||
| always | Boolean | ||||
| host_mode_common | Boolean | ||||
| timeout | Dictionary | ||||
| idle_host | Integer | Min: 10 Max: 65535 |
|||
| quiet_period | Integer | Min: 1 Max: 65535 |
|||
| reauth_period | String | Value can be 60-4294967295 or ‘server’ | |||
| reauth_timeout_ignore | Boolean | ||||
| tx_period | Integer | Min: 1 Max: 65535 |
|||
| reauthorization_request_limit | Integer | Min: 1 Max: 10 |
|||
| unauthorized | Dictionary | ||||
| access_vlan_membership_egress | Boolean | ||||
| native_vlan_membership_egress | Boolean | ||||
| eapol | Dictionary | ||||
| disabled | Boolean | ||||
| authentication_failure_fallback_mba | Dictionary | ||||
| enabled | Boolean | ||||
| timeout | Integer | Min: 0 Max: 65535 |
|||
| service_profile | String | QOS profile | |||
| shape | Dictionary | ||||
| rate | String | Rate in kbps, pps or percent Supported options are platform dependent Examples: - “5000 kbps” - “1000 pps” - “20 percent” |
|||
| qos | Dictionary | ||||
| trust | String | Valid Values: - dscp- cos- disabled |
|||
| dscp | Integer | DSCP value | |||
| cos | Integer | COS value | |||
| spanning_tree_bpdufilter | String | Valid Values: - enabled- disabled- True- False- true- false |
|||
| spanning_tree_bpduguard | String | Valid Values: - enabled- disabled- True- False- true- false |
|||
| spanning_tree_guard | String | Valid Values: - loop- root- disabled |
|||
| spanning_tree_portfast | String | Valid Values: - edge- network |
|||
| vmtracer | Boolean | ||||
| priority_flow_control | Dictionary | ||||
| enabled | Boolean | ||||
| priorities | List, items: Dictionary | ||||
| - priority | Integer | Required, Unique | Min: 0 Max: 7 |
||
| no_drop | Boolean | ||||
| bfd | Dictionary | ||||
| echo | Boolean | ||||
| interval | Integer | Interval in milliseconds | |||
| min_rx | Integer | Rate in milliseconds | |||
| multiplier | Integer | Min: 3 Max: 50 |
|||
| service_policy | Dictionary | ||||
| pbr | Dictionary | ||||
| input | String | Policy Based Routing Policy-map name | |||
| qos | Dictionary | ||||
| input | String | Required | Quality of Service Policy-map name | ||
| mpls | Dictionary | ||||
| ip | Boolean | ||||
| ldp | Dictionary | ||||
| interface | Boolean | ||||
| igp_sync | Boolean | ||||
| lacp_timer | Dictionary | ||||
| mode | String | Valid Values: - fast- normal |
|||
| multiplier | Integer | Min: 3 Max: 3000 |
|||
| lacp_port_priority | Integer | Min: 0 Max: 65535 |
|||
| transceiver | Dictionary | ||||
| media | Dictionary | ||||
| override | String | Transceiver type | |||
| ip_proxy_arp | Boolean | ||||
| traffic_policy | Dictionary | ||||
| input | String | Ingress traffic policy | |||
| output | String | Egress traffic policy | |||
| bgp | Dictionary | ||||
| session_tracker | String | Name of session tracker | |||
| peer | String | Key only used for documentation or validation purposes | |||
| peer_interface | String | Key only used for documentation or validation purposes | |||
| peer_type | String | Key only used for documentation or validation purposes | |||
| sflow | Dictionary | ||||
| enable | Boolean | ||||
| egress | Dictionary | ||||
| enable | Boolean | ||||
| unmodified_enable | Boolean | ||||
| port_profile | String | Key only used for documentation or validation purposes | |||
| uc_tx_queues | List, items: Dictionary | ||||
| - id | Integer | Required, Unique | TX-Queue ID | ||
| random_detect | Dictionary | ||||
| ecn | Dictionary | Explicit Congestion Notification | |||
| count | Boolean | Enable counter for random-detect ECNs | |||
| threshold | Dictionary | ||||
| units | String | Required | Valid Values: - segments- bytes- kbytes- mbytes- milliseconds |
Indicate the units to be used for the threshold values | |
| min | Integer | Required | Min: 1 Max: 256000000 |
Set the random-detect ECN minimum-threshold | |
| max | Integer | Required | Min: 1 Max: 256000000 |
Set the random-detect ECN maximum-threshold | |
| max_probability | Integer | Min: 1 Max: 100 |
Set the random-detect ECN max-mark-probability | ||
| weight | Integer | Min: 0 Max: 15 |
Set the random-detect ECN weight | ||
| tx_queues | List, items: Dictionary | ||||
| - id | Integer | Required, Unique | TX-Queue ID | ||
| random_detect | Dictionary | ||||
| ecn | Dictionary | Explicit Congestion Notification | |||
| count | Boolean | Enable counter for random-detect ECNs | |||
| threshold | Dictionary | ||||
| units | String | Required | Valid Values: - segments- bytes- kbytes- mbytes- milliseconds |
Indicate the units to be used for the threshold values | |
| min | Integer | Min: 1 Max: 256000000 |
Set the random-detect ECN minimum-threshold | ||
| max | Integer | Required | Min: 1 Max: 256000000 |
Set the random-detect ECN maximum-threshold | |
| max_probability | Integer | Required | Min: 1 Max: 100 |
Set the random-detect ECN max-mark-probability | |
| weight | Integer | Min: 0 Max: 15 |
Set the random-detect ECN weight | ||
| vrrp_ids | List, items: Dictionary | VRRP model. | |||
| - id | Integer | Required, Unique | VRID | ||
| priority_level | Integer | Min: 1 Max: 254 |
Instance priority | ||
| advertisement | Dictionary | ||||
| interval | Integer | Min: 1 Max: 255 |
Interval in seconds | ||
| preempt | Dictionary | ||||
| enabled | Boolean | Required | |||
| delay | Dictionary | ||||
| minimum | Integer | Min: 0 Max: 3600 |
Minimum preempt delay in seconds | ||
| reload | Integer | Min: 0 Max: 3600 |
Reload preempt delay in seconds | ||
| timers | Dictionary | ||||
| delay | Dictionary | ||||
| reload | Integer | Min: 0 Max: 3600 |
Delay after reload in seconds. | ||
| tracked_object | List, items: Dictionary | ||||
| - name | String | Required, Unique | Tracked object name | ||
| decrement | Integer | Min: 1 Max: 254 |
Decrement VRRP priority by 1-254 | ||
| shutdown | Boolean | ||||
| ipv4 | Dictionary | ||||
| address | String | Required | Virtual IPv4 address | ||
| version | Integer | Valid Values: - 2- 3 |
|||
| ipv6 | Dictionary | ||||
| address | String | Required | Virtual IPv6 address | ||
| eos_cli | String | Multiline EOS CLI rendered directly on the ethernet interface in the final EOS configuration |
ethernet_interfaces:
- name: <str; required; unique>
description: <str>
shutdown: <bool>
# Interval in seconds for updating interface counters"
load_interval: <int; 0-600>
# Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
speed: <str>
mtu: <int; 68-65535>
# "l2_mtu" should only be defined for platforms supporting the "l2 mtu" CLI
l2_mtu: <int; 68-65535>
# "l2_mru" should only be defined for platforms supporting the "l2 mru" CLI
l2_mru: <int; 68-65535>
# List of switchport vlans as string
# For a trunk port this would be a range like "1-200,300"
# For an access port this would be a single vlan "123"
vlans: <str>
native_vlan: <int>
# If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence
native_vlan_tag: <bool>
mode: <str; "access" | "dot1q-tunnel" | "trunk" | "trunk phone">
phone:
trunk: <str; "tagged" | "tagged phone" | "untagged" | "untagged phone">
vlan: <int; 1-4094>
l2_protocol:
# Vlan tag to configure on sub-interface
encapsulation_dot1q_vlan: <int>
# L2 protocol forwarding profile
forwarding_profile: <str>
trunk_groups:
- <str>
# l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed.
# Interface will not be listed in device documentation, unless "type" is set.
type: <str; "routed" | "switched" | "l3dot1q" | "l2dot1q" | "port-channel-member">
snmp_trap_link_change: <bool>
address_locking:
# Enable address locking for IPv4
ipv4: <bool>
# Enable address locking for IPv6
ipv6: <bool>
flowcontrol:
received: <str; "desired" | "on" | "off">
# VRF name
vrf: <str>
flow_tracker:
# Sampled flow tracker name.
sampled: <str>
# Hardware flow tracker name.
hardware: <str>
error_correction_encoding:
enabled: <bool; default=True>
fire_code: <bool>
reed_solomon: <bool>
link_tracking_groups:
# Group name
- name: <str; required; unique>
direction: <str; "upstream" | "downstream">
evpn_ethernet_segment:
# EVPN Ethernet Segment Identifier (Type 1 format)
identifier: <str>
redundancy: <str; "all-active" | "single-active">
designated_forwarder_election:
algorithm: <str; "modulus" | "preference">
# Preference_value is only used when "algorithm" is "preference"
preference_value: <int; 0-65535>
# Dont_preempt is only used when "algorithm" is "preference"
dont_preempt: <bool>
hold_time: <int>
subsequent_hold_time: <int>
candidate_reachability_required: <bool>
mpls:
shared_index: <int; 1-1024>
tunnel_flood_filter_time: <int>
# EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx
route_target: <str>
# VLAN tag to configure on sub-interface
encapsulation_dot1q_vlan: <int>
encapsulation_vlan:
client:
dot1q:
# Client VLAN ID
vlan: <int>
# Client Outer VLAN ID
outer: <int>
# Client Inner VLAN ID
inner: <int>
unmatched: <bool>
# Network encapsulations are all optional and skipped if using client unmatched
network:
dot1q:
# Network VLAN ID
vlan: <int>
# Network outer VLAN ID
outer: <int>
# Network inner VLAN ID
inner: <int>
client: <bool>
vlan_id: <int; 1-4094>
# IPv4 address/mask or "dhcp"
ip_address: <str>
ip_address_secondaries:
- <str>
# Install default-route obtained via DHCP
dhcp_client_accept_default_route: <bool>
# Enable IPv4 DHCP server.
dhcp_server_ipv4: <bool>
# Enable IPv6 DHCP server.
dhcp_server_ipv6: <bool>
ip_helpers:
- ip_helper: <str; required; unique>
# Source interface name
source_interface: <str>
# VRF name
vrf: <str>
ip_nat:
# NAT interface profile.
service_profile: <str>
destination:
dynamic:
- access_list: <str; required; unique>
comment: <str>
pool_name: <str; required>
priority: <int; 0-4294967295>
static:
# 'access_list' and 'group' are mutual exclusive
- access_list: <str>
comment: <str>
# Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
# EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
direction: <str; "egress" | "ingress">
# 'access_list' and 'group' are mutual exclusive
group: <int; 1-65535>
# IPv4 address
original_ip: <str; required; unique>
original_port: <int; 1-65535>
priority: <int; 0-4294967295>
protocol: <str; "udp" | "tcp">
# IPv4 address
translated_ip: <str; required>
# requires 'original_port'
translated_port: <int; 1-65535>
source:
dynamic:
- access_list: <str; required; unique>
comment: <str>
nat_type: <str; "overload" | "pool" | "pool-address-only" | "pool-full-cone"; required>
# required if 'nat_type' is pool, pool-address-only or pool-full-cone
# ignored if 'nat_type' is overload
pool_name: <str>
priority: <int; 0-4294967295>
static:
# 'access_list' and 'group' are mutual exclusive
- access_list: <str>
comment: <str>
# Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
# EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
direction: <str; "egress" | "ingress">
# 'access_list' and 'group' are mutual exclusive
group: <int; 1-65535>
# IPv4 address
original_ip: <str; required; unique>
original_port: <int; 1-65535>
priority: <int; 0-4294967295>
protocol: <str; "udp" | "tcp">
# IPv4 address
translated_ip: <str; required>
# requires 'original_port'
translated_port: <int; 1-65535>
ipv6_enable: <bool>
ipv6_address: <str>
# Link local IPv6 address/mask
ipv6_address_link_local: <str>
ipv6_nd_ra_disabled: <bool>
ipv6_nd_managed_config_flag: <bool>
ipv6_nd_prefixes:
- ipv6_prefix: <str; required; unique>
# Infinite or lifetime in seconds
valid_lifetime: <str>
# Infinite or lifetime in seconds
preferred_lifetime: <str>
no_autoconfig_flag: <bool>
ipv6_dhcp_relay_destinations:
# DHCP server's IPv6 address
- address: <str; required; unique>
vrf: <str>
# Local interface to communicate with DHCP server - mutually exclusive to source_address
local_interface: <str>
# Source IPv6 address to communicate with DHCP server - mutually exclusive to local_interface
source_address: <str>
# Override the default link address specified in the relayed DHCP packet
link_address: <str>
# Access list name
access_group_in: <str>
# Access list name
access_group_out: <str>
# IPv6 access list name
ipv6_access_group_in: <str>
# IPv6 access list name
ipv6_access_group_out: <str>
# MAC access list name
mac_access_group_in: <str>
# MAC access list name
mac_access_group_out: <str>
# Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both
multicast:
ipv4:
boundaries:
# ACL name or multicast IP subnet
- boundary: <str>
out: <bool>
static: <bool>
ipv6:
boundaries:
# ACL name or multicast IP subnet
- boundary: <str>
static: <bool>
ospf_network_point_to_point: <bool>
ospf_area: <str>
ospf_cost: <int>
ospf_authentication: <str; "none" | "simple" | "message-digest">
# Encrypted password - only type 7 supported
ospf_authentication_key: <str>
ospf_message_digest_keys:
- id: <int; required; unique>
hash_algorithm: <str; "md5" | "sha1" | "sha256" | "sha384" | "sha512">
# Encrypted password - only type 7 supported
key: <str>
pim:
ipv4:
dr_priority: <int; 0-429467295>
sparse_mode: <bool>
mac_security:
profile: <str>
channel_group:
id: <int>
mode: <str; "on" | "active" | "passive">
# ISIS instance
isis_enable: <str>
isis_passive: <bool>
isis_metric: <int>
isis_network_point_to_point: <bool>
isis_circuit_type: <str; "level-1-2" | "level-1" | "level-2">
isis_hello_padding: <bool>
isis_authentication_mode: <str; "text" | "md5">
# Type-7 encrypted password
isis_authentication_key: <str>
poe:
# Disable PoE on a POE capable port. PoE is enabled on all ports that support it by default in EOS.
disabled: <bool; default=False>
# Prioritize a port's power in the event that one of the switch's power supplies loses power
priority: <str; "critical" | "high" | "medium" | "low">
# Set the PoE power behavior for a PoE port when the system is rebooted
reboot:
# PoE action for interface
action: <str; "maintain" | "power-off">
# Set the PoE power behavior for a PoE port when the port goes down
link_down:
# PoE action for interface
action: <str; "maintain" | "power-off">
# Number of seconds to delay shutting the power off after a link down event occurs. Default value is 5 seconds in EOS.
power_off_delay: <int; 1-86400>
# Set the PoE power behavior for a PoE port when the port is admin down
shutdown:
# PoE action for interface
action: <str; "maintain" | "power-off">
# Override the hardware-negotiated power limit using either wattage or a power class. Note that if using a power class, AVD will automatically convert the class value to the wattage value corresponding to that power class.
limit:
class: <int; 0-8>
watts: <str>
# Set to ignore hardware classification
fixed: <bool>
# Disable to prevent port from negotiating power with powered devices over LLDP. Enabled by default in EOS.
negotiation_lldp: <bool>
# Allow a subset of legacy devices to work with the PoE switch. Disabled by default in EOS because it can cause false positive detections.
legacy_detect: <bool>
ptp:
enable: <bool>
announce:
interval: <int>
timeout: <int>
delay_req: <int>
delay_mechanism: <str; "e2e" | "p2p">
sync_message:
interval: <int>
role: <str; "master" | "dynamic">
# VLAN can be 'all' or list of vlans as string
vlan: <str>
transport: <str; "ipv4" | "ipv6" | "layer2">
# Interface profile
profile: <str>
storm_control:
all:
# Configure maximum storm-control level
level: <str>
# Optional field and is hardware dependent
unit: <str; "percent" | "pps"; default="percent">
broadcast:
# Configure maximum storm-control level
level: <str>
# Optional field and is hardware dependent
unit: <str; "percent" | "pps"; default="percent">
multicast:
# Configure maximum storm-control level
level: <str>
# Optional field and is hardware dependent
unit: <str; "percent" | "pps"; default="percent">
unknown_unicast:
# Configure maximum storm-control level
level: <str>
# Optional field and is hardware dependent
unit: <str; "percent" | "pps"; default="percent">
logging:
event:
link_status: <bool>
congestion_drops: <bool>
spanning_tree: <bool>
storm_control_discards: <bool>
lldp:
transmit: <bool>
receive: <bool>
# ZTP vlan number
ztp_vlan: <int>
trunk_private_vlan_secondary: <bool>
# List of vlans as string
pvlan_mapping: <str>
vlan_translations:
# List of vlans as string (only one vlan if direction is "both")
- from: <str>
# VLAN ID
to: <int>
direction: <str; "in" | "out" | "both"; default="both">
dot1x:
port_control: <str; "auto" | "force-authorized" | "force-unauthorized">
port_control_force_authorized_phone: <bool>
reauthentication: <bool>
pae:
mode: <str; "authenticator">
authentication_failure:
action: <str; "allow" | "drop">
allow_vlan: <int; 1-4094>
host_mode:
mode: <str; "multi-host" | "single-host">
multi_host_authenticated: <bool>
mac_based_authentication:
enabled: <bool>
always: <bool>
host_mode_common: <bool>
timeout:
idle_host: <int; 10-65535>
quiet_period: <int; 1-65535>
# Value can be 60-4294967295 or 'server'
reauth_period: <str>
reauth_timeout_ignore: <bool>
tx_period: <int; 1-65535>
reauthorization_request_limit: <int; 1-10>
unauthorized:
access_vlan_membership_egress: <bool>
native_vlan_membership_egress: <bool>
eapol:
disabled: <bool>
authentication_failure_fallback_mba:
enabled: <bool>
timeout: <int; 0-65535>
# QOS profile
service_profile: <str>
shape:
# Rate in kbps, pps or percent
# Supported options are platform dependent
# Examples:
# - "5000 kbps"
# - "1000 pps"
# - "20 percent"
rate: <str>
qos:
trust: <str; "dscp" | "cos" | "disabled">
# DSCP value
dscp: <int>
# COS value
cos: <int>
spanning_tree_bpdufilter: <str; "enabled" | "disabled" | "True" | "False" | "true" | "false">
spanning_tree_bpduguard: <str; "enabled" | "disabled" | "True" | "False" | "true" | "false">
spanning_tree_guard: <str; "loop" | "root" | "disabled">
spanning_tree_portfast: <str; "edge" | "network">
vmtracer: <bool>
priority_flow_control:
enabled: <bool>
priorities:
- priority: <int; 0-7; required; unique>
no_drop: <bool>
bfd:
echo: <bool>
# Interval in milliseconds
interval: <int>
# Rate in milliseconds
min_rx: <int>
multiplier: <int; 3-50>
service_policy:
pbr:
# Policy Based Routing Policy-map name
input: <str>
qos:
# Quality of Service Policy-map name
input: <str; required>
mpls:
ip: <bool>
ldp:
interface: <bool>
igp_sync: <bool>
lacp_timer:
mode: <str; "fast" | "normal">
multiplier: <int; 3-3000>
lacp_port_priority: <int; 0-65535>
transceiver:
media:
# Transceiver type
override: <str>
ip_proxy_arp: <bool>
traffic_policy:
# Ingress traffic policy
input: <str>
# Egress traffic policy
output: <str>
bgp:
# Name of session tracker
session_tracker: <str>
# Key only used for documentation or validation purposes
peer: <str>
# Key only used for documentation or validation purposes
peer_interface: <str>
# Key only used for documentation or validation purposes
peer_type: <str>
sflow:
enable: <bool>
egress:
enable: <bool>
unmodified_enable: <bool>
# Key only used for documentation or validation purposes
port_profile: <str>
uc_tx_queues:
# TX-Queue ID
- id: <int; required; unique>
random_detect:
# Explicit Congestion Notification
ecn:
# Enable counter for random-detect ECNs
count: <bool>
threshold:
# Indicate the units to be used for the threshold values
units: <str; "segments" | "bytes" | "kbytes" | "mbytes" | "milliseconds"; required>
# Set the random-detect ECN minimum-threshold
min: <int; 1-256000000; required>
# Set the random-detect ECN maximum-threshold
max: <int; 1-256000000; required>
# Set the random-detect ECN max-mark-probability
max_probability: <int; 1-100>
# Set the random-detect ECN weight
weight: <int; 0-15>
tx_queues:
# TX-Queue ID
- id: <int; required; unique>
random_detect:
# Explicit Congestion Notification
ecn:
# Enable counter for random-detect ECNs
count: <bool>
threshold:
# Indicate the units to be used for the threshold values
units: <str; "segments" | "bytes" | "kbytes" | "mbytes" | "milliseconds"; required>
# Set the random-detect ECN minimum-threshold
min: <int; 1-256000000>
# Set the random-detect ECN maximum-threshold
max: <int; 1-256000000; required>
# Set the random-detect ECN max-mark-probability
max_probability: <int; 1-100; required>
# Set the random-detect ECN weight
weight: <int; 0-15>
# VRRP model.
vrrp_ids:
# VRID
- id: <int; required; unique>
# Instance priority
priority_level: <int; 1-254>
advertisement:
# Interval in seconds
interval: <int; 1-255>
preempt:
enabled: <bool; required>
delay:
# Minimum preempt delay in seconds
minimum: <int; 0-3600>
# Reload preempt delay in seconds
reload: <int; 0-3600>
timers:
delay:
# Delay after reload in seconds.
reload: <int; 0-3600>
tracked_object:
# Tracked object name
- name: <str; required; unique>
# Decrement VRRP priority by 1-254
decrement: <int; 1-254>
shutdown: <bool>
ipv4:
# Virtual IPv4 address
address: <str; required>
version: <int; 2 | 3>
ipv6:
# Virtual IPv6 address
address: <str; required>
# Multiline EOS CLI rendered directly on the ethernet interface in the final EOS configuration
eos_cli: <str>
Interface defaults¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| interface_defaults | Dictionary | ||||
| ethernet | Dictionary | ||||
| shutdown | Boolean | ||||
| mtu | Integer |
Interface profiles¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| interface_profiles | List, items: Dictionary | ||||
| - name | String | Required, Unique | Interface-Profile Name | ||
| commands | List, items: String | Required | |||
| - <str> | String | EOS CLI interface command Example: “switchport mode access” |
LACP¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| lacp | Dictionary | Set Link Aggregation Control Protocol (LACP) parameters. | |||
| port_id | Dictionary | LACP port-ID range configuration. | |||
| range | Dictionary | ||||
| begin | Integer | Minimum LACP port-ID range. | |||
| end | Integer | Maximum LACP port-ID range. | |||
| rate_limit | Dictionary | Set LACPDU rate limit options. | |||
| default | Boolean | Enable LACPDU rate limiting by default on all ports. | |||
| system_priority | Integer | Min: 0 Max: 65535 |
Set local system LACP priority. |
# Set Link Aggregation Control Protocol (LACP) parameters.
lacp:
# LACP port-ID range configuration.
port_id:
range:
# Minimum LACP port-ID range.
begin: <int>
# Maximum LACP port-ID range.
end: <int>
# Set LACPDU rate limit options.
rate_limit:
# Enable LACPDU rate limiting by default on all ports.
default: <bool>
# Set local system LACP priority.
system_priority: <int; 0-65535>
Link tracking groups¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| link_tracking_groups | List, items: Dictionary | ||||
| - name | String | Required, Unique | |||
| links_minimum | Integer | Min: 1 Max: 100000 |
|||
| recovery_delay | Integer | Min: 0 Max: 3600 |
LLDP¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| lldp | Dictionary | ||||
| timer | Integer | ||||
| timer_reinitialization | String | ||||
| holdtime | Integer | ||||
| management_address | String | ||||
| vrf | String | ||||
| receive_packet_tagged_drop | String | ||||
| tlvs | List, items: Dictionary | ||||
| - name | String | Required, Unique | Valid Values: - link-aggregation- management-address- max-frame-size- med- port-description- port-vlan- power-via-mdi- system-capabilities- system-description- system-name- vlan-name |
||
| transmit | Boolean | ||||
| run | Boolean |
lldp:
timer: <int>
timer_reinitialization: <str>
holdtime: <int>
management_address: <str>
vrf: <str>
receive_packet_tagged_drop: <str>
tlvs:
- name: <str; "link-aggregation" | "management-address" | "max-frame-size" | "med" | "port-description" | "port-vlan" | "power-via-mdi" | "system-capabilities" | "system-description" | "system-name" | "vlan-name"; required; unique>
transmit: <bool>
run: <bool>
Loopback interfaces¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| loopback_interfaces | List, items: Dictionary | ||||
| - name | String | Required, Unique | Loopback interface name e.g. “Loopback0” | ||
| description | String | ||||
| shutdown | Boolean | ||||
| vrf | String | VRF name | |||
| ip_address | String | IPv4_address/Mask | |||
| ip_address_secondaries | List, items: String | ||||
| - <str> | String | IPv4_address/Mask | |||
| ipv6_enable | Boolean | ||||
| ipv6_address | String | IPv6_address/Mask | |||
| ip_proxy_arp | Boolean | ||||
| ospf_area | String | ||||
| mpls | Dictionary | ||||
| ldp | Dictionary | ||||
| interface | Boolean | ||||
| isis_enable | String | ISIS instance name | |||
| isis_passive | Boolean | ||||
| isis_metric | Integer | ||||
| isis_network_point_to_point | Boolean | ||||
| node_segment | Dictionary | ||||
| ipv4_index | Integer | ||||
| ipv6_index | Integer | ||||
| eos_cli | String | EOS CLI rendered directly on the loopback interface in the final EOS configuration |
loopback_interfaces:
# Loopback interface name e.g. "Loopback0"
- name: <str; required; unique>
description: <str>
shutdown: <bool>
# VRF name
vrf: <str>
# IPv4_address/Mask
ip_address: <str>
ip_address_secondaries:
# IPv4_address/Mask
- <str>
ipv6_enable: <bool>
# IPv6_address/Mask
ipv6_address: <str>
ip_proxy_arp: <bool>
ospf_area: <str>
mpls:
ldp:
interface: <bool>
# ISIS instance name
isis_enable: <str>
isis_passive: <bool>
isis_metric: <int>
isis_network_point_to_point: <bool>
node_segment:
ipv4_index: <int>
ipv6_index: <int>
# EOS CLI rendered directly on the loopback interface in the final EOS configuration
eos_cli: <str>
Management interfaces¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| management_interfaces | List, items: Dictionary | ||||
| - name | String | Required, Unique | Management Interface Name | ||
| description | String | ||||
| shutdown | Boolean | ||||
| speed | String | Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed>. |
|||
| mtu | Integer | ||||
| vrf | String | VRF Name | |||
| ip_address | String | IPv4_address/Mask | |||
| ipv6_enable | Boolean | ||||
| ipv6_address | String | IPv6_address/Mask | |||
| type | String | oob |
Valid Values: - oob- inband |
For documentation purposes only | |
| gateway | String | IPv4 address of default gateway in management VRF | |||
| ipv6_gateway | String | IPv6 address of default gateway in management VRF | |||
| mac_address | String | MAC address | |||
| lldp | Dictionary | ||||
| transmit | Boolean | ||||
| receive | Boolean | ||||
| ztp_vlan | Integer | ZTP vlan number | |||
| eos_cli | String | Multiline EOS CLI rendered directly on the management interface in the final EOS configuration |
management_interfaces:
# Management Interface Name
- name: <str; required; unique>
description: <str>
shutdown: <bool>
# Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
speed: <str>
mtu: <int>
# VRF Name
vrf: <str>
# IPv4_address/Mask
ip_address: <str>
ipv6_enable: <bool>
# IPv6_address/Mask
ipv6_address: <str>
# For documentation purposes only
type: <str; "oob" | "inband"; default="oob">
# IPv4 address of default gateway in management VRF
gateway: <str>
# IPv6 address of default gateway in management VRF
ipv6_gateway: <str>
# MAC address
mac_address: <str>
lldp:
transmit: <bool>
receive: <bool>
# ZTP vlan number
ztp_vlan: <int>
# Multiline EOS CLI rendered directly on the management interface in the final EOS configuration
eos_cli: <str>
Patch panel¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| patch_panel | Dictionary | ||||
| patches | List, items: Dictionary | ||||
| - name | String | Required, Unique | |||
| enabled | Boolean | ||||
| connectors | List, items: Dictionary | Min Length: 2 Max Length: 2 |
Must have exactly two connectors to a patch of which at least one must be of type “interface” | ||
| - id | String | Required, Unique | |||
| type | String | Required | Valid Values: - interface- pseudowire |
||
| endpoint | String | Required | String with relevant endpoint depending on type. Examples: - “Ethernet1” - “Ethernet1 dot1q vlan 123” - “bgp vpws TENANT_A pseudowire VPWS_PW_1” - “ldp LDP_PW_1” |
patch_panel:
patches:
- name: <str; required; unique>
enabled: <bool>
# Must have exactly two connectors to a patch of which at least one must be of type "interface"
connectors: # 2-2 items
- id: <str; required; unique>
type: <str; "interface" | "pseudowire"; required>
# String with relevant endpoint depending on type.
# Examples:
# - "Ethernet1"
# - "Ethernet1 dot1q vlan 123"
# - "bgp vpws TENANT_A pseudowire VPWS_PW_1"
# - "ldp LDP_PW_1"
endpoint: <str; required>
Port-channel interfaces¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| port_channel_interfaces | List, items: Dictionary | ||||
| - name | String | Required, Unique | |||
| description | String | ||||
| logging | Dictionary | ||||
| event | Dictionary | ||||
| link_status | Boolean | ||||
| shutdown | Boolean | ||||
| l2_mtu | Integer | Min: 68 Max: 65535 |
“l2_mtu” should only be defined for platforms supporting the “l2 mtu” CLI |
||
| l2_mru | Integer | Min: 68 Max: 65535 |
“l2_mru” should only be defined for platforms supporting the “l2 mru” CLI |
||
| vlans | String | List of switchport vlans as string For a trunk port this would be a range like “1-200,300” For an access port this would be a single vlan “123” |
|||
| snmp_trap_link_change | Boolean | ||||
| type | String | Valid Values: - routed- switched- l3dot1q- l2dot1q |
l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed. Interface will not be listed in device documentation, unless “type” is set. |
||
| encapsulation_dot1q_vlan | Integer | VLAN tag to configure on sub-interface | |||
| vrf | String | VRF name | |||
| encapsulation_vlan | Dictionary | ||||
| client | Dictionary | ||||
| dot1q | Dictionary | ||||
| vlan | Integer | Client VLAN ID | |||
| outer | Integer | Client Outer VLAN ID | |||
| inner | Integer | Client Inner VLAN ID | |||
| unmatched | Boolean | ||||
| network | Dictionary | Network encapsulation are all optional, and skipped if using client unmatched | |||
| dot1q | Dictionary | ||||
| vlan | Integer | Network VLAN ID | |||
| outer | Integer | Network Outer VLAN ID | |||
| inner | Integer | Network Inner VLAN ID | |||
| client | Boolean | ||||
| vlan_id | Integer | Min: 1 Max: 4094 |
|||
| mode | String | Valid Values: - access- dot1q-tunnel- trunk- trunk phone |
|||
| native_vlan | Integer | If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence | |||
| native_vlan_tag | Boolean | False |
If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence | ||
| link_tracking_groups | List, items: Dictionary | ||||
| - name | String | Required, Unique | Group name | ||
| direction | String | Valid Values: - upstream- downstream |
|||
| phone | Dictionary | ||||
| trunk | String | Valid Values: - tagged- untagged |
|||
| vlan | Integer | Min: 1 Max: 4094 |
|||
| l2_protocol | Dictionary | ||||
| encapsulation_dot1q_vlan | Integer | Vlan tag to configure on sub-interface | |||
| forwarding_profile | String | L2 protocol forwarding profile | |||
| mtu | Integer | Min: 68 Max: 65535 |
|||
| mlag | Integer | Min: 1 Max: 2000 |
MLAG ID | ||
| trunk_groups | List, items: String | ||||
| - <str> | String | ||||
| lacp_fallback_timeout | Integer | 90 |
Min: 0 Max: 300 |
Timeout in seconds | |
| lacp_fallback_mode | String | Valid Values: - individual- static |
|||
| qos | Dictionary | ||||
| trust | String | Valid Values: - dscp- cos- disabled |
|||
| dscp | Integer | DSCP value | |||
| cos | Integer | COS value | |||
| bfd | Dictionary | ||||
| echo | Boolean | ||||
| interval | Integer | Interval in milliseconds | |||
| min_rx | Integer | Rate in milliseconds | |||
| multiplier | Integer | Min: 3 Max: 50 |
|||
| service_policy | Dictionary | ||||
| pbr | Dictionary | ||||
| input | String | Policy Based Routing Policy-map name | |||
| qos | Dictionary | ||||
| input | String | Required | Quality of Service Policy-map name | ||
| mpls | Dictionary | ||||
| ip | Boolean | ||||
| ldp | Dictionary | ||||
| interface | Boolean | ||||
| igp_sync | Boolean | ||||
| trunk_private_vlan_secondary | Boolean | ||||
| pvlan_mapping | String | List of vlans as string | |||
| vlan_translations | List, items: Dictionary | ||||
| - from | String | List of vlans as string (only one vlan if direction is “both”) | |||
| to | Integer | VLAN ID | |||
| direction | String | both |
Valid Values: - in- out- both |
||
| shape | Dictionary | ||||
| rate | String | Rate in kbps, pps or percent Supported options are platform dependent Examples: - “5000 kbps” - “1000 pps” - “20 percent” |
|||
| storm_control | Dictionary | ||||
| all | Dictionary | ||||
| level | String | Configure maximum storm-control level | |||
| unit | String | percent |
Valid Values: - percent- pps |
Optional field and is hardware dependent | |
| broadcast | Dictionary | ||||
| level | String | Configure maximum storm-control level | |||
| unit | String | percent |
Valid Values: - percent- pps |
Optional field and is hardware dependent | |
| multicast | Dictionary | ||||
| level | String | Configure maximum storm-control level | |||
| unit | String | percent |
Valid Values: - percent- pps |
Optional field and is hardware dependent | |
| unknown_unicast | Dictionary | ||||
| level | String | Configure maximum storm-control level | |||
| unit | String | percent |
Valid Values: - percent- pps |
Optional field and is hardware dependent | |
| ip_proxy_arp | Boolean | ||||
| isis_enable | String | ISIS instance | |||
| isis_passive | Boolean | ||||
| isis_metric | Integer | ||||
| isis_network_point_to_point | Boolean | ||||
| isis_circuit_type | String | Valid Values: - level-1-2- level-1- level-2 |
|||
| isis_hello_padding | Boolean | ||||
| isis_authentication_mode | String | Valid Values: - text- md5 |
|||
| isis_authentication_key | String | Type-7 encrypted password | |||
| traffic_policy | Dictionary | ||||
| input | String | Ingress traffic policy | |||
| output | String | Egress traffic policy | |||
| evpn_ethernet_segment | Dictionary | ||||
| identifier | String | EVPN Ethernet Segment Identifier (Type 1 format) | |||
| redundancy | String | Valid Values: - all-active- single-active |
|||
| designated_forwarder_election | Dictionary | ||||
| algorithm | String | Valid Values: - modulus- preference |
|||
| preference_value | Integer | Min: 0 Max: 65535 |
Preference_value is only used when “algorithm” is “preference” | ||
| dont_preempt | Boolean | False |
Dont_preempt is only used when “algorithm” is “preference” | ||
| hold_time | Integer | ||||
| subsequent_hold_time | Integer | ||||
| candidate_reachability_required | Boolean | ||||
| mpls | Dictionary | ||||
| shared_index | Integer | Min: 1 Max: 1024 |
|||
| tunnel_flood_filter_time | Integer | ||||
| route_target | String | EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx | |||
| esi deprecated | String | EVPN Ethernet Segment Identifier (Type 1 format) If both “esi” and “evpn_ethernet_segment.identifier” are defined, the new variable takes precedence This key is deprecated. Support will be removed in AVD version 5.0.0. Use evpn_ethernet_segment.identifier instead. |
|||
| rt deprecated | String | EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx If both “rt” and “evpn_ethernet_segment.route_target” are defined, the new variable takes precedence This key is deprecated. Support will be removed in AVD version 5.0.0. Use evpn_ethernet_segment.route_target instead. |
|||
| lacp_id | String | LACP ID with format xxxx.xxxx.xxxx | |||
| spanning_tree_bpdufilter | String | Valid Values: - enabled- disabled- True- False- true- false |
|||
| spanning_tree_bpduguard | String | Valid Values: - enabled- disabled- True- False- true- false |
|||
| spanning_tree_guard | String | Valid Values: - loop- root- disabled |
|||
| spanning_tree_portfast | String | Valid Values: - edge- network |
|||
| vmtracer | Boolean | ||||
| ptp | Dictionary | ||||
| enable | Boolean | ||||
| announce | Dictionary | ||||
| interval | Integer | ||||
| timeout | Integer | ||||
| delay_req | Integer | ||||
| delay_mechanism | String | Valid Values: - e2e- p2p |
|||
| sync_message | Dictionary | ||||
| interval | Integer | ||||
| role | String | Valid Values: - master- dynamic |
|||
| vlan | String | VLAN can be ‘all’ or list of vlans as string | |||
| transport | String | Valid Values: - ipv4- ipv6- layer2 |
|||
| ip_address | String | IPv4 address/mask | |||
| ip_nat | Dictionary | ||||
| destination | Dictionary | ||||
| dynamic | List, items: Dictionary | ||||
| - access_list | String | Required, Unique | |||
| comment | String | ||||
| pool_name | String | Required | |||
| priority | Integer | Min: 0 Max: 4294967295 |
|||
| static | List, items: Dictionary | ||||
| - access_list | String | ‘access_list’ and ‘group’ are mutual exclusive | |||
| comment | String | ||||
| direction | String | Valid Values: - egress- ingress |
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform. EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW. |
||
| group | Integer | Min: 1 Max: 65535 |
‘access_list’ and ‘group’ are mutual exclusive | ||
| original_ip | String | Required, Unique | IPv4 address | ||
| original_port | Integer | Min: 1 Max: 65535 |
|||
| priority | Integer | Min: 0 Max: 4294967295 |
|||
| protocol | String | Valid Values: - udp- tcp |
|||
| translated_ip | String | Required | IPv4 address | ||
| translated_port | Integer | Min: 1 Max: 65535 |
requires ‘original_port’ | ||
| source | Dictionary | ||||
| dynamic | List, items: Dictionary | ||||
| - access_list | String | Required, Unique | |||
| comment | String | ||||
| nat_type | String | Required | Valid Values: - overload- pool- pool-address-only- pool-full-cone |
||
| pool_name | String | required if ‘nat_type’ is pool, pool-address-only or pool-full-cone ignored if ‘nat_type’ is overload |
|||
| priority | Integer | Min: 0 Max: 4294967295 |
|||
| static | List, items: Dictionary | ||||
| - access_list | String | ‘access_list’ and ‘group’ are mutual exclusive | |||
| comment | String | ||||
| direction | String | Valid Values: - egress- ingress |
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform. EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW. |
||
| group | Integer | Min: 1 Max: 65535 |
‘access_list’ and ‘group’ are mutual exclusive | ||
| original_ip | String | Required, Unique | IPv4 address | ||
| original_port | Integer | Min: 1 Max: 65535 |
|||
| priority | Integer | Min: 0 Max: 4294967295 |
|||
| protocol | String | Valid Values: - udp- tcp |
|||
| translated_ip | String | Required | IPv4 address | ||
| translated_port | Integer | Min: 1 Max: 65535 |
requires ‘original_port’ | ||
| ipv6_enable | Boolean | ||||
| ipv6_address | String | IPv6 address/mask | |||
| ipv6_address_link_local | String | Link local IPv6 address/mask | |||
| ipv6_nd_ra_disabled | Boolean | ||||
| ipv6_nd_managed_config_flag | Boolean | ||||
| ipv6_nd_prefixes | List, items: Dictionary | ||||
| - ipv6_prefix | String | Required, Unique | |||
| valid_lifetime | String | Infinite or lifetime in seconds | |||
| preferred_lifetime | String | Infinite or lifetime in seconds | |||
| no_autoconfig_flag | Boolean | ||||
| access_group_in | String | Access list name | |||
| access_group_out | String | Access list name | |||
| ipv6_access_group_in | String | IPv6 access list name | |||
| ipv6_access_group_out | String | IPv6 access list name | |||
| mac_access_group_in | String | MAC access list name | |||
| mac_access_group_out | String | MAC access list name | |||
| pim | Dictionary | ||||
| ipv4 | Dictionary | ||||
| dr_priority | Integer | Min: 0 Max: 429467295 |
|||
| sparse_mode | Boolean | ||||
| service_profile | String | QOS profile | |||
| ospf_network_point_to_point | Boolean | ||||
| ospf_area | String | ||||
| ospf_cost | Integer | ||||
| ospf_authentication | String | Valid Values: - none- simple- message-digest |
|||
| ospf_authentication_key | String | Encrypted password | |||
| ospf_message_digest_keys | List, items: Dictionary | ||||
| - id | Integer | Required, Unique | |||
| hash_algorithm | String | Valid Values: - md5- sha1- sha256- sha384- sha512 |
|||
| key | String | Encrypted password | |||
| flow_tracker | Dictionary | ||||
| sampled | String | Sampled flow tracker name. | |||
| hardware | String | Hardware flow tracker name. | |||
| bgp | Dictionary | ||||
| session_tracker | String | Name of session tracker | |||
| peer | String | Key only used for documentation or validation purposes | |||
| peer_interface | String | Key only used for documentation or validation purposes | |||
| peer_type | String | Key only used for documentation or validation purposes | |||
| sflow | Dictionary | ||||
| enable | Boolean | ||||
| egress | Dictionary | ||||
| enable | Boolean | ||||
| unmodified_enable | Boolean | ||||
| eos_cli | String | Multiline EOS CLI rendered directly on the port-channel interface in the final EOS configuration |
port_channel_interfaces:
- name: <str; required; unique>
description: <str>
logging:
event:
link_status: <bool>
shutdown: <bool>
# "l2_mtu" should only be defined for platforms supporting the "l2 mtu" CLI
l2_mtu: <int; 68-65535>
# "l2_mru" should only be defined for platforms supporting the "l2 mru" CLI
l2_mru: <int; 68-65535>
# List of switchport vlans as string
# For a trunk port this would be a range like "1-200,300"
# For an access port this would be a single vlan "123"
vlans: <str>
snmp_trap_link_change: <bool>
# l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed.
# Interface will not be listed in device documentation, unless "type" is set.
type: <str; "routed" | "switched" | "l3dot1q" | "l2dot1q">
# VLAN tag to configure on sub-interface
encapsulation_dot1q_vlan: <int>
# VRF name
vrf: <str>
encapsulation_vlan:
client:
dot1q:
# Client VLAN ID
vlan: <int>
# Client Outer VLAN ID
outer: <int>
# Client Inner VLAN ID
inner: <int>
unmatched: <bool>
# Network encapsulation are all optional, and skipped if using client unmatched
network:
dot1q:
# Network VLAN ID
vlan: <int>
# Network Outer VLAN ID
outer: <int>
# Network Inner VLAN ID
inner: <int>
client: <bool>
vlan_id: <int; 1-4094>
mode: <str; "access" | "dot1q-tunnel" | "trunk" | "trunk phone">
# If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence
native_vlan: <int>
# If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence
native_vlan_tag: <bool; default=False>
link_tracking_groups:
# Group name
- name: <str; required; unique>
direction: <str; "upstream" | "downstream">
phone:
trunk: <str; "tagged" | "untagged">
vlan: <int; 1-4094>
l2_protocol:
# Vlan tag to configure on sub-interface
encapsulation_dot1q_vlan: <int>
# L2 protocol forwarding profile
forwarding_profile: <str>
mtu: <int; 68-65535>
# MLAG ID
mlag: <int; 1-2000>
trunk_groups:
- <str>
# Timeout in seconds
lacp_fallback_timeout: <int; 0-300; default=90>
lacp_fallback_mode: <str; "individual" | "static">
qos:
trust: <str; "dscp" | "cos" | "disabled">
# DSCP value
dscp: <int>
# COS value
cos: <int>
bfd:
echo: <bool>
# Interval in milliseconds
interval: <int>
# Rate in milliseconds
min_rx: <int>
multiplier: <int; 3-50>
service_policy:
pbr:
# Policy Based Routing Policy-map name
input: <str>
qos:
# Quality of Service Policy-map name
input: <str; required>
mpls:
ip: <bool>
ldp:
interface: <bool>
igp_sync: <bool>
trunk_private_vlan_secondary: <bool>
# List of vlans as string
pvlan_mapping: <str>
vlan_translations:
# List of vlans as string (only one vlan if direction is "both")
- from: <str>
# VLAN ID
to: <int>
direction: <str; "in" | "out" | "both"; default="both">
shape:
# Rate in kbps, pps or percent
# Supported options are platform dependent
# Examples:
# - "5000 kbps"
# - "1000 pps"
# - "20 percent"
rate: <str>
storm_control:
all:
# Configure maximum storm-control level
level: <str>
# Optional field and is hardware dependent
unit: <str; "percent" | "pps"; default="percent">
broadcast:
# Configure maximum storm-control level
level: <str>
# Optional field and is hardware dependent
unit: <str; "percent" | "pps"; default="percent">
multicast:
# Configure maximum storm-control level
level: <str>
# Optional field and is hardware dependent
unit: <str; "percent" | "pps"; default="percent">
unknown_unicast:
# Configure maximum storm-control level
level: <str>
# Optional field and is hardware dependent
unit: <str; "percent" | "pps"; default="percent">
ip_proxy_arp: <bool>
# ISIS instance
isis_enable: <str>
isis_passive: <bool>
isis_metric: <int>
isis_network_point_to_point: <bool>
isis_circuit_type: <str; "level-1-2" | "level-1" | "level-2">
isis_hello_padding: <bool>
isis_authentication_mode: <str; "text" | "md5">
# Type-7 encrypted password
isis_authentication_key: <str>
traffic_policy:
# Ingress traffic policy
input: <str>
# Egress traffic policy
output: <str>
evpn_ethernet_segment:
# EVPN Ethernet Segment Identifier (Type 1 format)
identifier: <str>
redundancy: <str; "all-active" | "single-active">
designated_forwarder_election:
algorithm: <str; "modulus" | "preference">
# Preference_value is only used when "algorithm" is "preference"
preference_value: <int; 0-65535>
# Dont_preempt is only used when "algorithm" is "preference"
dont_preempt: <bool; default=False>
hold_time: <int>
subsequent_hold_time: <int>
candidate_reachability_required: <bool>
mpls:
shared_index: <int; 1-1024>
tunnel_flood_filter_time: <int>
# EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx
route_target: <str>
# EVPN Ethernet Segment Identifier (Type 1 format)
# If both "esi" and "evpn_ethernet_segment.identifier" are defined, the new variable takes precedence
# This key is deprecated.
# Support will be removed in AVD version 5.0.0.
# Use <samp>evpn_ethernet_segment.identifier</samp> instead.
esi: <str>
# EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx
# If both "rt" and "evpn_ethernet_segment.route_target" are defined, the new variable takes precedence
# This key is deprecated.
# Support will be removed in AVD version 5.0.0.
# Use <samp>evpn_ethernet_segment.route_target</samp> instead.
rt: <str>
# LACP ID with format xxxx.xxxx.xxxx
lacp_id: <str>
spanning_tree_bpdufilter: <str; "enabled" | "disabled" | "True" | "False" | "true" | "false">
spanning_tree_bpduguard: <str; "enabled" | "disabled" | "True" | "False" | "true" | "false">
spanning_tree_guard: <str; "loop" | "root" | "disabled">
spanning_tree_portfast: <str; "edge" | "network">
vmtracer: <bool>
ptp:
enable: <bool>
announce:
interval: <int>
timeout: <int>
delay_req: <int>
delay_mechanism: <str; "e2e" | "p2p">
sync_message:
interval: <int>
role: <str; "master" | "dynamic">
# VLAN can be 'all' or list of vlans as string
vlan: <str>
transport: <str; "ipv4" | "ipv6" | "layer2">
# IPv4 address/mask
ip_address: <str>
ip_nat:
destination:
dynamic:
- access_list: <str; required; unique>
comment: <str>
pool_name: <str; required>
priority: <int; 0-4294967295>
static:
# 'access_list' and 'group' are mutual exclusive
- access_list: <str>
comment: <str>
# Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
# EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
direction: <str; "egress" | "ingress">
# 'access_list' and 'group' are mutual exclusive
group: <int; 1-65535>
# IPv4 address
original_ip: <str; required; unique>
original_port: <int; 1-65535>
priority: <int; 0-4294967295>
protocol: <str; "udp" | "tcp">
# IPv4 address
translated_ip: <str; required>
# requires 'original_port'
translated_port: <int; 1-65535>
source:
dynamic:
- access_list: <str; required; unique>
comment: <str>
nat_type: <str; "overload" | "pool" | "pool-address-only" | "pool-full-cone"; required>
# required if 'nat_type' is pool, pool-address-only or pool-full-cone
# ignored if 'nat_type' is overload
pool_name: <str>
priority: <int; 0-4294967295>
static:
# 'access_list' and 'group' are mutual exclusive
- access_list: <str>
comment: <str>
# Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
# EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
direction: <str; "egress" | "ingress">
# 'access_list' and 'group' are mutual exclusive
group: <int; 1-65535>
# IPv4 address
original_ip: <str; required; unique>
original_port: <int; 1-65535>
priority: <int; 0-4294967295>
protocol: <str; "udp" | "tcp">
# IPv4 address
translated_ip: <str; required>
# requires 'original_port'
translated_port: <int; 1-65535>
ipv6_enable: <bool>
# IPv6 address/mask
ipv6_address: <str>
# Link local IPv6 address/mask
ipv6_address_link_local: <str>
ipv6_nd_ra_disabled: <bool>
ipv6_nd_managed_config_flag: <bool>
ipv6_nd_prefixes:
- ipv6_prefix: <str; required; unique>
# Infinite or lifetime in seconds
valid_lifetime: <str>
# Infinite or lifetime in seconds
preferred_lifetime: <str>
no_autoconfig_flag: <bool>
# Access list name
access_group_in: <str>
# Access list name
access_group_out: <str>
# IPv6 access list name
ipv6_access_group_in: <str>
# IPv6 access list name
ipv6_access_group_out: <str>
# MAC access list name
mac_access_group_in: <str>
# MAC access list name
mac_access_group_out: <str>
pim:
ipv4:
dr_priority: <int; 0-429467295>
sparse_mode: <bool>
# QOS profile
service_profile: <str>
ospf_network_point_to_point: <bool>
ospf_area: <str>
ospf_cost: <int>
ospf_authentication: <str; "none" | "simple" | "message-digest">
# Encrypted password
ospf_authentication_key: <str>
ospf_message_digest_keys:
- id: <int; required; unique>
hash_algorithm: <str; "md5" | "sha1" | "sha256" | "sha384" | "sha512">
# Encrypted password
key: <str>
flow_tracker:
# Sampled flow tracker name.
sampled: <str>
# Hardware flow tracker name.
hardware: <str>
bgp:
# Name of session tracker
session_tracker: <str>
# Key only used for documentation or validation purposes
peer: <str>
# Key only used for documentation or validation purposes
peer_interface: <str>
# Key only used for documentation or validation purposes
peer_type: <str>
sflow:
enable: <bool>
egress:
enable: <bool>
unmodified_enable: <bool>
# Multiline EOS CLI rendered directly on the port-channel interface in the final EOS configuration
eos_cli: <str>
Switchport default¶
Tunnel interfaces¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| tunnel_interfaces | List, items: Dictionary | ||||
| - name | String | Required, Unique | Tunnel Interface Name | ||
| description | String | ||||
| shutdown | Boolean | ||||
| mtu | Integer | Min: 68 Max: 65535 |
|||
| vrf | String | VRF Name | |||
| ip_address | String | Format: ipv4_cidr | IPv4_address/Mask | ||
| ipv6_enable | Boolean | ||||
| ipv6_address | String | Format: ipv6_cidr | IPv6_address/Mask | ||
| access_group_in | String | IPv4 ACL Name for ingress | |||
| access_group_out | String | IPv4 ACL Name for egress | |||
| ipv6_access_group_in | String | IPv6 ACL Name for ingress | |||
| ipv6_access_group_out | String | IPv6 ACL Name for egress | |||
| tcp_mss_ceiling | Dictionary | ||||
| ipv4 | Integer | Min: 64 Max: 65495 |
Segment Size for IPv4 | ||
| ipv6 | Integer | Min: 64 Max: 65475 |
Segment Size for IPv6 | ||
| direction | String | Valid Values: - ingress- egress |
Optional direction (‘ingress’, ‘egress’) for tcp mss ceiling |
||
| source_interface | String | Tunnel Source Interface Name | |||
| destination | String | IPv4 or IPv6 Address Tunnel Destination | |||
| path_mtu_discovery | Boolean | Enable Path MTU Discovery On Tunnel | |||
| eos_cli | String | Multiline String with EOS CLI rendered directly on the Tunnel interface in the final EOS configuration. |
tunnel_interfaces:
# Tunnel Interface Name
- name: <str; required; unique>
description: <str>
shutdown: <bool>
mtu: <int; 68-65535>
# VRF Name
vrf: <str>
# IPv4_address/Mask
ip_address: <str>
ipv6_enable: <bool>
# IPv6_address/Mask
ipv6_address: <str>
# IPv4 ACL Name for ingress
access_group_in: <str>
# IPv4 ACL Name for egress
access_group_out: <str>
# IPv6 ACL Name for ingress
ipv6_access_group_in: <str>
# IPv6 ACL Name for egress
ipv6_access_group_out: <str>
tcp_mss_ceiling:
# Segment Size for IPv4
ipv4: <int; 64-65495>
# Segment Size for IPv6
ipv6: <int; 64-65475>
# Optional direction ('ingress', 'egress') for tcp mss ceiling
direction: <str; "ingress" | "egress">
# Tunnel Source Interface Name
source_interface: <str>
# IPv4 or IPv6 Address Tunnel Destination
destination: <str>
# Enable Path MTU Discovery On Tunnel
path_mtu_discovery: <bool>
# Multiline String with EOS CLI rendered directly on the Tunnel interface in the final EOS configuration.
eos_cli: <str>
VLAN interfaces¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| vlan_interfaces | List, items: Dictionary | ||||
| - name | String | Required, Unique | VLAN interface name like “Vlan123” | ||
| description | String | ||||
| shutdown | Boolean | ||||
| vrf | String | VRF name | |||
| arp_aging_timeout | Integer | Min: 1 Max: 65535 |
In seconds | ||
| arp_cache_dynamic_capacity | Integer | Min: 0 Max: 4294967295 |
|||
| arp_gratuitous_accept | Boolean | ||||
| arp_monitor_mac_address | Boolean | ||||
| ip_proxy_arp | Boolean | ||||
| ip_directed_broadcast | Boolean | ||||
| ip_address | String | IPv4_address/Mask | |||
| ip_address_secondaries | List, items: String | ||||
| - <str> | String | IPv4_address/Mask | |||
| ip_virtual_router_addresses | List, items: String | ||||
| - <str> | String | IPv4 address or IPv4_address/Mask | |||
| ip_address_virtual | String | IPv4_address/Mask | |||
| ip_address_virtual_secondaries | List, items: String | ||||
| - <str> | String | IPv4_address/Mask | |||
| ip_igmp | Boolean | ||||
| ip_igmp_version | Integer | Min: 1 Max: 3 |
|||
| ip_helpers | List, items: Dictionary | List of DHCP servers | |||
| - ip_helper | String | Required, Unique | IP address or hostname of DHCP server | ||
| source_interface | String | Interface used as source for forwarded DHCP packets | |||
| vrf | String | VRF where DHCP server can be reached | |||
| ip_nat | Dictionary | ||||
| destination | Dictionary | ||||
| dynamic | List, items: Dictionary | ||||
| - access_list | String | Required, Unique | |||
| comment | String | ||||
| pool_name | String | Required | |||
| priority | Integer | Min: 0 Max: 4294967295 |
|||
| static | List, items: Dictionary | ||||
| - access_list | String | ‘access_list’ and ‘group’ are mutual exclusive | |||
| comment | String | ||||
| direction | String | Valid Values: - egress- ingress |
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform. EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW. |
||
| group | Integer | Min: 1 Max: 65535 |
‘access_list’ and ‘group’ are mutual exclusive | ||
| original_ip | String | Required, Unique | IPv4 address | ||
| original_port | Integer | Min: 1 Max: 65535 |
|||
| priority | Integer | Min: 0 Max: 4294967295 |
|||
| protocol | String | Valid Values: - udp- tcp |
|||
| translated_ip | String | Required | IPv4 address | ||
| translated_port | Integer | Min: 1 Max: 65535 |
requires ‘original_port’ | ||
| source | Dictionary | ||||
| dynamic | List, items: Dictionary | ||||
| - access_list | String | Required, Unique | |||
| comment | String | ||||
| nat_type | String | Required | Valid Values: - overload- pool- pool-address-only- pool-full-cone |
||
| pool_name | String | required if ‘nat_type’ is pool, pool-address-only or pool-full-cone ignored if ‘nat_type’ is overload |
|||
| priority | Integer | Min: 0 Max: 4294967295 |
|||
| static | List, items: Dictionary | ||||
| - access_list | String | ‘access_list’ and ‘group’ are mutual exclusive | |||
| comment | String | ||||
| direction | String | Valid Values: - egress- ingress |
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform. EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW. |
||
| group | Integer | Min: 1 Max: 65535 |
‘access_list’ and ‘group’ are mutual exclusive | ||
| original_ip | String | Required, Unique | IPv4 address | ||
| original_port | Integer | Min: 1 Max: 65535 |
|||
| priority | Integer | Min: 0 Max: 4294967295 |
|||
| protocol | String | Valid Values: - udp- tcp |
|||
| translated_ip | String | Required | IPv4 address | ||
| translated_port | Integer | Min: 1 Max: 65535 |
requires ‘original_port’ | ||
| ipv6_enable | Boolean | ||||
| ipv6_address | String | IPv6_address/Mask | |||
| ipv6_address_virtual deprecated | String | IPv6_address/Mask If both “ipv6_address_virtual” and “ipv6_address_virtuals” are set, all addresses will be configured This key is deprecated. Support will be removed in AVD version 5.0.0. Use ipv6_address_virtuals instead. |
|||
| ipv6_address_virtuals | List, items: String | The new “ipv6_address_virtuals” key support multiple virtual ipv6 addresses. | |||
| - <str> | String | IPv6_address/Mask | |||
| ipv6_address_link_local | String | IPv6_address/Mask | |||
| ipv6_virtual_router_address deprecated | String | “ipv6_virtual_router_address” should not be mixed with the new “ipv6_virtual_router_addresses” key below to avoid conflicts. This key is deprecated. Support will be removed in AVD version 5.0.0. Use ipv6_virtual_router_addresses instead. |
|||
| ipv6_virtual_router_addresses | List, items: String | Improved “VARPv6” data model to support multiple VARPv6 addresses. | |||
| - <str> | String | IPv6 address or IPv6_address/Mask | |||
| ipv6_nd_ra_disabled | Boolean | ||||
| ipv6_nd_managed_config_flag | Boolean | ||||
| ipv6_nd_prefixes | List, items: Dictionary | ||||
| - ipv6_prefix | String | Required, Unique | IPv6_address/Mask | ||
| valid_lifetime | String | In seconds <0-4294967295> or infinite | |||
| preferred_lifetime | String | In seconds <0-4294967295> or infinite | |||
| no_autoconfig_flag | Boolean | ||||
| ipv6_dhcp_relay_destinations | List, items: Dictionary | ||||
| - address | String | Required, Unique | DHCP server’s IPv6 address | ||
| vrf | String | ||||
| local_interface | String | Local interface to communicate with DHCP server - mutually exclusive to source_address | |||
| source_address | String | Source IPv6 address to communicate with DHCP server - mutually exclusive to local_interface | |||
| link_address | String | Override the default link address specified in the relayed DHCP packet | |||
| access_group_in | String | IPv4 access-list name | |||
| access_group_out | String | IPv4 access-list name | |||
| ipv6_access_group_in | String | IPv6 access-list name | |||
| ipv6_access_group_out | String | IPv6 access-list name | |||
| multicast | Dictionary | ||||
| ipv4 | Dictionary | ||||
| boundaries | List, items: Dictionary | Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both | |||
| - boundary | String | Required, Unique | IPv4 access-list name or IPv4 multicast group prefix with mask | ||
| out | Boolean | ||||
| source_route_export | Dictionary | ||||
| enabled | Boolean | Required | |||
| administrative_distance | Integer | Min: 1 Max: 255 |
|||
| static | Boolean | ||||
| ipv6 | Dictionary | ||||
| boundaries | List, items: Dictionary | Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both | |||
| - boundary | String | Required, Unique | IPv6 access-list name or IPv6 multicast group prefix with mask | ||
| source_route_export | Dictionary | ||||
| enabled | Boolean | Required | |||
| administrative_distance | Integer | Min: 1 Max: 255 |
|||
| static | Boolean | ||||
| ospf_network_point_to_point | Boolean | ||||
| ospf_area | String | ||||
| ospf_cost | Integer | ||||
| ospf_authentication | String | Valid Values: - none- simple- message-digest |
|||
| ospf_authentication_key | String | Encrypted password used for simple authentication | |||
| ospf_message_digest_keys | List, items: Dictionary | Keys used for message-digest authentication | |||
| - id | Integer | Required, Unique | |||
| hash_algorithm | String | Valid Values: - md5- sha1- sha256- sha384- sha512 |
|||
| key | String | Encrypted password | |||
| pim | Dictionary | ||||
| ipv4 | Dictionary | ||||
| dr_priority | Integer | Min: 0 Max: 429467295 |
|||
| sparse_mode | Boolean | ||||
| local_interface | String | ||||
| isis_enable | String | ISIS instance name | |||
| isis_passive | Boolean | ||||
| isis_metric | Integer | ||||
| isis_network_point_to_point | Boolean | ||||
| mtu | Integer | ||||
| no_autostate | Boolean | ||||
| vrrp_ids | List, items: Dictionary | Improved “vrrp” data model to support multiple VRRP IDs | |||
| - id | Integer | Required, Unique | VRID | ||
| priority_level | Integer | Min: 1 Max: 254 |
Instance priority | ||
| advertisement | Dictionary | ||||
| interval | Integer | Min: 1 Max: 255 |
Interval in seconds | ||
| preempt | Dictionary | ||||
| enabled | Boolean | Required | |||
| delay | Dictionary | ||||
| minimum | Integer | Min: 0 Max: 3600 |
Minimum preempt delay in seconds | ||
| reload | Integer | Min: 0 Max: 3600 |
Reload preempt delay in seconds | ||
| timers | Dictionary | ||||
| delay | Dictionary | ||||
| reload | Integer | Min: 0 Max: 3600 |
Delay after reload in seconds. | ||
| tracked_object | List, items: Dictionary | ||||
| - name | String | Required, Unique | Tracked object name | ||
| decrement | Integer | Min: 1 Max: 254 |
Decrement VRRP priority by 1-254 | ||
| shutdown | Boolean | ||||
| ipv4 | Dictionary | ||||
| address | String | Required | Virtual IPv4 address | ||
| version | Integer | Valid Values: - 2- 3 |
|||
| ipv6 | Dictionary | ||||
| address | String | Required | Virtual IPv6 address | ||
| vrrp deprecated | Dictionary | “vrrp” should not be mixed with the new “vrrp_ids” key above to avoid conflicts. This key is deprecated. Support will be removed in AVD version 5.0.0. Use vrrp_ids instead. |
|||
| virtual_router | String | Virtual Router ID | |||
| priority | Integer | Instance priority | |||
| advertisement_interval | Integer | ||||
| preempt_delay_minimum | Integer | ||||
| ipv4 | String | Virtual IPv4 address | |||
| ipv6 | String | Virtual IPv6 address | |||
| ip_attached_host_route_export | Dictionary | ||||
| enabled | Boolean | Required | |||
| distance | Integer | Min: 1 Max: 255 |
|||
| bfd | Dictionary | ||||
| echo | Boolean | ||||
| interval | Integer | Rate in milliseconds | |||
| min_rx | Integer | Minimum RX hold time in milliseconds | |||
| multiplier | Integer | Min: 3 Max: 50 |
|||
| service_policy | Dictionary | ||||
| pbr | Dictionary | ||||
| input | String | Name of policy-map used for policy based routing | |||
| pvlan_mapping | String | List of VLANs as string | |||
| tenant | String | Key only used for documentation or validation purposes | |||
| tags | List, items: String | Key only used for documentation or validation purposes | |||
| - <str> | String | ||||
| type | String | Key only used for documentation or validation purposes | |||
| eos_cli | String | Multiline EOS CLI rendered directly on the VLAN interface in the final EOS configuration |
vlan_interfaces:
# VLAN interface name like "Vlan123"
- name: <str; required; unique>
description: <str>
shutdown: <bool>
# VRF name
vrf: <str>
# In seconds
arp_aging_timeout: <int; 1-65535>
arp_cache_dynamic_capacity: <int; 0-4294967295>
arp_gratuitous_accept: <bool>
arp_monitor_mac_address: <bool>
ip_proxy_arp: <bool>
ip_directed_broadcast: <bool>
# IPv4_address/Mask
ip_address: <str>
ip_address_secondaries:
# IPv4_address/Mask
- <str>
ip_virtual_router_addresses:
# IPv4 address or IPv4_address/Mask
- <str>
# IPv4_address/Mask
ip_address_virtual: <str>
ip_address_virtual_secondaries:
# IPv4_address/Mask
- <str>
ip_igmp: <bool>
ip_igmp_version: <int; 1-3>
# List of DHCP servers
ip_helpers:
# IP address or hostname of DHCP server
- ip_helper: <str; required; unique>
# Interface used as source for forwarded DHCP packets
source_interface: <str>
# VRF where DHCP server can be reached
vrf: <str>
ip_nat:
destination:
dynamic:
- access_list: <str; required; unique>
comment: <str>
pool_name: <str; required>
priority: <int; 0-4294967295>
static:
# 'access_list' and 'group' are mutual exclusive
- access_list: <str>
comment: <str>
# Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
# EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
direction: <str; "egress" | "ingress">
# 'access_list' and 'group' are mutual exclusive
group: <int; 1-65535>
# IPv4 address
original_ip: <str; required; unique>
original_port: <int; 1-65535>
priority: <int; 0-4294967295>
protocol: <str; "udp" | "tcp">
# IPv4 address
translated_ip: <str; required>
# requires 'original_port'
translated_port: <int; 1-65535>
source:
dynamic:
- access_list: <str; required; unique>
comment: <str>
nat_type: <str; "overload" | "pool" | "pool-address-only" | "pool-full-cone"; required>
# required if 'nat_type' is pool, pool-address-only or pool-full-cone
# ignored if 'nat_type' is overload
pool_name: <str>
priority: <int; 0-4294967295>
static:
# 'access_list' and 'group' are mutual exclusive
- access_list: <str>
comment: <str>
# Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
# EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
direction: <str; "egress" | "ingress">
# 'access_list' and 'group' are mutual exclusive
group: <int; 1-65535>
# IPv4 address
original_ip: <str; required; unique>
original_port: <int; 1-65535>
priority: <int; 0-4294967295>
protocol: <str; "udp" | "tcp">
# IPv4 address
translated_ip: <str; required>
# requires 'original_port'
translated_port: <int; 1-65535>
ipv6_enable: <bool>
# IPv6_address/Mask
ipv6_address: <str>
# IPv6_address/Mask
# If both "ipv6_address_virtual" and "ipv6_address_virtuals" are set, all addresses will be configured
# This key is deprecated.
# Support will be removed in AVD version 5.0.0.
# Use <samp>ipv6_address_virtuals</samp> instead.
ipv6_address_virtual: <str>
# The new "ipv6_address_virtuals" key support multiple virtual ipv6 addresses.
ipv6_address_virtuals:
# IPv6_address/Mask
- <str>
# IPv6_address/Mask
ipv6_address_link_local: <str>
# "ipv6_virtual_router_address" should not be mixed with
# the new "ipv6_virtual_router_addresses" key below to avoid conflicts.
# This key is deprecated.
# Support will be removed in AVD version 5.0.0.
# Use <samp>ipv6_virtual_router_addresses</samp> instead.
ipv6_virtual_router_address: <str>
# Improved "VARPv6" data model to support multiple VARPv6 addresses.
ipv6_virtual_router_addresses:
# IPv6 address or IPv6_address/Mask
- <str>
ipv6_nd_ra_disabled: <bool>
ipv6_nd_managed_config_flag: <bool>
ipv6_nd_prefixes:
# IPv6_address/Mask
- ipv6_prefix: <str; required; unique>
# In seconds <0-4294967295> or infinite
valid_lifetime: <str>
# In seconds <0-4294967295> or infinite
preferred_lifetime: <str>
no_autoconfig_flag: <bool>
ipv6_dhcp_relay_destinations:
# DHCP server's IPv6 address
- address: <str; required; unique>
vrf: <str>
# Local interface to communicate with DHCP server - mutually exclusive to source_address
local_interface: <str>
# Source IPv6 address to communicate with DHCP server - mutually exclusive to local_interface
source_address: <str>
# Override the default link address specified in the relayed DHCP packet
link_address: <str>
# IPv4 access-list name
access_group_in: <str>
# IPv4 access-list name
access_group_out: <str>
# IPv6 access-list name
ipv6_access_group_in: <str>
# IPv6 access-list name
ipv6_access_group_out: <str>
multicast:
ipv4:
# Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both
boundaries:
# IPv4 access-list name or IPv4 multicast group prefix with mask
- boundary: <str; required; unique>
out: <bool>
source_route_export:
enabled: <bool; required>
administrative_distance: <int; 1-255>
static: <bool>
ipv6:
# Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both
boundaries:
# IPv6 access-list name or IPv6 multicast group prefix with mask
- boundary: <str; required; unique>
source_route_export:
enabled: <bool; required>
administrative_distance: <int; 1-255>
static: <bool>
ospf_network_point_to_point: <bool>
ospf_area: <str>
ospf_cost: <int>
ospf_authentication: <str; "none" | "simple" | "message-digest">
# Encrypted password used for simple authentication
ospf_authentication_key: <str>
# Keys used for message-digest authentication
ospf_message_digest_keys:
- id: <int; required; unique>
hash_algorithm: <str; "md5" | "sha1" | "sha256" | "sha384" | "sha512">
# Encrypted password
key: <str>
pim:
ipv4:
dr_priority: <int; 0-429467295>
sparse_mode: <bool>
local_interface: <str>
# ISIS instance name
isis_enable: <str>
isis_passive: <bool>
isis_metric: <int>
isis_network_point_to_point: <bool>
mtu: <int>
no_autostate: <bool>
# Improved "vrrp" data model to support multiple VRRP IDs
vrrp_ids:
# VRID
- id: <int; required; unique>
# Instance priority
priority_level: <int; 1-254>
advertisement:
# Interval in seconds
interval: <int; 1-255>
preempt:
enabled: <bool; required>
delay:
# Minimum preempt delay in seconds
minimum: <int; 0-3600>
# Reload preempt delay in seconds
reload: <int; 0-3600>
timers:
delay:
# Delay after reload in seconds.
reload: <int; 0-3600>
tracked_object:
# Tracked object name
- name: <str; required; unique>
# Decrement VRRP priority by 1-254
decrement: <int; 1-254>
shutdown: <bool>
ipv4:
# Virtual IPv4 address
address: <str; required>
version: <int; 2 | 3>
ipv6:
# Virtual IPv6 address
address: <str; required>
# "vrrp" should not be mixed with the new "vrrp_ids" key above to avoid conflicts.
# This key is deprecated.
# Support will be removed in AVD version 5.0.0.
# Use <samp>vrrp_ids</samp> instead.
vrrp:
# Virtual Router ID
virtual_router: <str>
# Instance priority
priority: <int>
advertisement_interval: <int>
preempt_delay_minimum: <int>
# Virtual IPv4 address
ipv4: <str>
# Virtual IPv6 address
ipv6: <str>
ip_attached_host_route_export:
enabled: <bool; required>
distance: <int; 1-255>
bfd:
echo: <bool>
# Rate in milliseconds
interval: <int>
# Minimum RX hold time in milliseconds
min_rx: <int>
multiplier: <int; 3-50>
service_policy:
pbr:
# Name of policy-map used for policy based routing
input: <str>
# List of VLANs as string
pvlan_mapping: <str>
# Key only used for documentation or validation purposes
tenant: <str>
# Key only used for documentation or validation purposes
tags:
- <str>
# Key only used for documentation or validation purposes
type: <str>
# Multiline EOS CLI rendered directly on the VLAN interface in the final EOS configuration
eos_cli: <str>
VXLAN interface¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| vxlan_interface | Dictionary | ||||
| Vxlan1 | Dictionary | ||||
| description | String | ||||
| vxlan | Dictionary | ||||
| source_interface | String | Source Interface Name | |||
| controller_client | Dictionary | Client to CVX Controllers | |||
| enabled | Boolean | ||||
| mlag_source_interface | String | ||||
| udp_port | Integer | ||||
| virtual_router_encapsulation_mac_address | String | “mlag-system-id” or ethernet_address (H.H.H) |
|||
| bfd_vtep_evpn | Dictionary | ||||
| interval | Integer | ||||
| min_rx | Integer | ||||
| multiplier | Integer | Min: 3 Max: 50 |
|||
| prefix_list | String | ||||
| qos | Dictionary | For the Traffic Class to be derived based on the outer DSCP field of the incoming VxLan packet, the core ports must be in “DSCP Trust” mode. !!!Warning, only few hardware types with software version >= 4.26.0 support the below knobs to configure Vxlan DSCP mapping. |
|||
| dscp_propagation_encapsulation | Boolean | ||||
| ecn_propagation | Boolean | Enable copying the ECN marking to/from encapsulated packets. |
|||
| map_dscp_to_traffic_class_decapsulation | Boolean | ||||
| vlans | List, items: Dictionary | ||||
| - id | Integer | Required, Unique | VLAN ID | ||
| vni | Integer | ||||
| multicast_group | String | IP Multicast Group Address | |||
| flood_vteps | List, items: String | ||||
| - <str> | String | Remote VTEP IP Address | |||
| vrfs | List, items: Dictionary | ||||
| - name | String | Required, Unique | VRF Name | ||
| vni | Integer | ||||
| multicast_group | String | IP Multicast Group Address | |||
| flood_vteps | List, items: String | ||||
| - <str> | String | Remote VTEP IP Address | |||
| flood_vtep_learned_data_plane | Boolean | ||||
| eos_cli | String | Multiline String with EOS CLI rendered directly on the Vxlan interface in the final EOS configuration. |
vxlan_interface:
Vxlan1:
description: <str>
vxlan:
# Source Interface Name
source_interface: <str>
# Client to CVX Controllers
controller_client:
enabled: <bool>
mlag_source_interface: <str>
udp_port: <int>
# "mlag-system-id" or ethernet_address (H.H.H)
virtual_router_encapsulation_mac_address: <str>
bfd_vtep_evpn:
interval: <int>
min_rx: <int>
multiplier: <int; 3-50>
prefix_list: <str>
# For the Traffic Class to be derived based on the outer DSCP field of the incoming VxLan packet, the core ports must be in "DSCP Trust" mode.
# !!!Warning, only few hardware types with software version >= 4.26.0 support the below knobs to configure Vxlan DSCP mapping.
qos:
dscp_propagation_encapsulation: <bool>
# Enable copying the ECN marking to/from encapsulated packets.
ecn_propagation: <bool>
map_dscp_to_traffic_class_decapsulation: <bool>
vlans:
# VLAN ID
- id: <int; required; unique>
vni: <int>
# IP Multicast Group Address
multicast_group: <str>
flood_vteps:
# Remote VTEP IP Address
- <str>
vrfs:
# VRF Name
- name: <str; required; unique>
vni: <int>
# IP Multicast Group Address
multicast_group: <str>
flood_vteps:
# Remote VTEP IP Address
- <str>
flood_vtep_learned_data_plane: <bool>
# Multiline String with EOS CLI rendered directly on the Vxlan interface in the final EOS configuration.
eos_cli: <str>
Maintenance Mode¶
BGP groups¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| bgp_groups | List, items: Dictionary | ||||
| - name | String | Required, Unique | Group Name | ||
| vrf | String | ||||
| neighbors | List, items: String | ||||
| - <str> | String | ||||
| bgp_maintenance_profiles | List, items: String | ||||
| - <str> | String | Profile Name |
Interface groups¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| interface_groups | List, items: Dictionary | ||||
| - name | String | Required, Unique | Interface-Group name | ||
| interfaces | List, items: String | ||||
| - <str> | String | Interface Name | |||
| bgp_maintenance_profiles | List, items: String | ||||
| - <str> | String | Name of BGP Maintenance Profile | |||
| interface_maintenance_profiles | List, items: String | ||||
| - <str> | String | Name of Interface Maintenance Profile |
Maintenance¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| maintenance | Dictionary | ||||
| default_interface_profile | String | Name of default Interface Profile |
|||
| default_bgp_profile | String | Name of default BGP Profile |
|||
| default_unit_profile | String | Name of default Unit Profile |
|||
| interface_profiles | List, items: Dictionary | ||||
| - name | String | Required, Unique | |||
| rate_monitoring | Dictionary | ||||
| load_interval | Integer | Load Interval in Seconds |
|||
| threshold | Integer | Threshold in kbps |
|||
| shutdown | Dictionary | ||||
| max_delay | Integer | Max delay in seconds |
|||
| bgp_profiles | List, items: Dictionary | ||||
| - name | String | Required, Unique | BGP Profile Name | ||
| initiator | Dictionary | ||||
| route_map_inout | String | Route Map | |||
| unit_profiles | List, items: Dictionary | ||||
| - name | String | Required, Unique | Unit Profile Name | ||
| on_boot | Dictionary | ||||
| duration | Integer | Min: 300 Max: 3600 |
On-boot in seconds |
||
| units | List, items: Dictionary | ||||
| - name | String | Required, Unique | Unit Name | ||
| quiesce | Boolean | ||||
| profile | String | Name of Unit Profile |
|||
| groups | Dictionary | ||||
| bgp_groups | List, items: String | ||||
| - <str> | String | Name of BGP Group |
|||
| interface_groups | List, items: String | ||||
| - <str> | String | Name of Interface Group |
maintenance:
# Name of default Interface Profile
default_interface_profile: <str>
# Name of default BGP Profile
default_bgp_profile: <str>
# Name of default Unit Profile
default_unit_profile: <str>
interface_profiles:
- name: <str; required; unique>
rate_monitoring:
# Load Interval in Seconds
load_interval: <int>
# Threshold in kbps
threshold: <int>
shutdown:
# Max delay in seconds
max_delay: <int>
bgp_profiles:
# BGP Profile Name
- name: <str; required; unique>
initiator:
# Route Map
route_map_inout: <str>
unit_profiles:
# Unit Profile Name
- name: <str; required; unique>
on_boot:
# On-boot in seconds
duration: <int; 300-3600>
units:
# Unit Name
- name: <str; required; unique>
quiesce: <bool>
# Name of Unit Profile
profile: <str>
groups:
bgp_groups:
# Name of BGP Group
- <str>
interface_groups:
# Name of Interface Group
- <str>
Management¶
Aliases¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| aliases | String | Multi-line string with one or more alias commands. Example: yaml<br>aliases: |<br> alias wr copy running-config startup-config<br> alias siib show ip interface brief<br> |
Banners¶
Boot¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| boot | Dictionary | Set the Aboot password |
|||
| secret | Dictionary | ||||
| hash_algorithm | String | sha512 |
Valid Values: - md5- sha512 |
||
| key | String | Hashed Password |
Clock¶
DNS domain¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| dns_domain | String | Domain Name |
Domain-list¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| domain_list | List, items: String | Search list of DNS domains | |||
| - <str> | String | Domain name |
Hostname¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| hostname | String |
IP domain lookup¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| ip_domain_lookup | Dictionary | ||||
| source_interfaces | List, items: Dictionary | ||||
| - name | String | Required, Unique | Source Interface |
||
| vrf | String |
IP HTTP client source-interfaces¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| ip_http_client_source_interfaces | List, items: Dictionary | ||||
| - name | String | Interface Name | |||
| vrf | String |
IP name servers¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| ip_name_servers | List, items: Dictionary | ||||
| - ip_address | String | IPv4 or IPv6 address for DNS server | |||
| vrf | String | VRF Name | |||
| priority | Integer | Min: 0 Max: 4 |
Priority value (lower is first) |
IP SSH client source-interfaces¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| ip_ssh_client_source_interfaces | List, items: Dictionary | ||||
| - name | String | Interface Name | |||
| vrf | String | default |
Management accounts¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| management_accounts | Dictionary | ||||
| password | Dictionary | ||||
| policy | String |
Management API HTTP¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| management_api_http | Dictionary | ||||
| enable_http | Boolean | ||||
| enable_https | Boolean | ||||
| https_ssl_profile | String | SSL Profile Name | |||
| default_services | Boolean | Enable default services: capi-doc and tapagg | |||
| enable_vrfs | List, items: Dictionary | ||||
| - name | String | Required, Unique | VRF Name | ||
| access_group | String | Standard IPv4 ACL name | |||
| ipv6_access_group | String | Standard IPv6 ACL name | |||
| protocol_https_certificate | Dictionary | ||||
| certificate | String | Name of certificate; private key must also be specified | |||
| private_key | String | Name of private key; certificate must also be specified |
management_api_http:
enable_http: <bool>
enable_https: <bool>
# SSL Profile Name
https_ssl_profile: <str>
# Enable default services: capi-doc and tapagg
default_services: <bool>
enable_vrfs:
# VRF Name
- name: <str; required; unique>
# Standard IPv4 ACL name
access_group: <str>
# Standard IPv6 ACL name
ipv6_access_group: <str>
protocol_https_certificate:
# Name of certificate; private key must also be specified
certificate: <str>
# Name of private key; certificate must also be specified
private_key: <str>
Management API models¶
Management console¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| management_console | Dictionary | ||||
| idle_timeout | Integer | Min: 0 Max: 86400 |
Management defaults¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| management_defaults | Dictionary | ||||
| secret | Dictionary | ||||
| hash | String | Valid Values: - md5- sha512 |
Management security¶
| Variable | Type | Required | Default | Value Restrictions | Description |
|---|---|---|---|---|---|
| management_security | Dictionary | ||||
| entropy_source | String | ||||
| password | Dictionary | ||||
| minimum_length | Integer | Min: 1 Max: 32 |
|||
| encryption_key_common | Boolean | ||||
| encryption_reversible | String | ||||
| policies | List, items: Dictionary | ||||
| - name | String | Required, Unique | |||
| minimum | Dictionary | ||||
| digits | Integer | Min: 1 Max: 65535 |
|||
| length | Integer | Min: 1 Max: 65535 |
|||
| lower | Integer | Min: 1 Max: 65535 |
|||
| special | Integer | Min: 1 Max: 65535 |
|||
| upper | Integer | Min: 1 Max: 65535 |
|||
| maximum | Dictionary | ||||
| repetitive | Integer | Min: 1 Max: 65535 |
|||
| sequential | Integer | Min: 1 Max: 65535 |
|||
| ssl_profiles | List, items: Dictionary | ||||
| - name | String | ||||
| tls_versions | String | List of allowed TLS versions as string Examples: - “1.0” - “1.0 1.1” |
|||
| cipher_list | String | cipher_list syntax follows the openssl cipher strings format. Colon (:) separated list of allowed ciphers as a string |
|||
| trust_certificate | Dictionary | ||||
| certificates | List, items: String | List of trust certificate names Examples: - test1.crt - test2.crt |
|||
| - <str> | String | ||||
| requirement | Dictionary | ||||
| basic_constraint_ca | Boolean | ||||
| hostname_fqdn | Boolean | Enforce hostname to be FQDN without wildcard. |
|||
| policy_expiry_date_ignore | Boolean | ||||
| system | Boolean | Use system-supplied trust certificates. |
|||
| chain_certificate | Dictionary | ||||
| certificates | List, items: String | List of chain certificate names Examples: - chain1.crt - chain2.crt |
|||
| - <str> | String | ||||
| requirement | Dictionary | ||||
| basic_constraint_ca | Boolean | ||||
| include_root_ca | Boolean | ||||
| certificate | Dictionary | ||||
| file | String | ||||
| key | String |
management_security:
entropy_source: <str>
password:
minimum_length: <int; 1-32>
encryption_key_common: <bool>
encryption_reversible: <str>
policies:
- name: <str; required; unique>
minimum:
digits: <int; 1-65535>
length: <int; 1-65535>
lower: <int; 1-65535>
special: <int; 1-65535>
upper: <int; 1-65535>
maximum:
repetitive: <int; 1-65535>
sequential: <int; 1-65535>
ssl_profiles:
- name: <str>
# List of allowed TLS versions as string
# Examples:
# - "1.0"
# - "1.0 1.1"
tls_versio