eos_cli_config_gen¶
Overview¶
eos_cli_config_gen, is a role that generates eos cli syntax and device documentation.
The eos_cli_config_gen role:
- Designed to generate the intended configuration offline, without relying on switch current state information.
- Facilitates the evaluation of the configuration prior to deployment with tools like Batfish
- Facilitates the evaluation of the configuration post deployment with eos_validate_state role.
Role Inputs and Outputs¶
Figure 1 below provides a visualization of the roles inputs, and outputs and tasks in order executed by the role.
Inputs:
- Structured EOS configuration file in yaml format.
Outputs:
- EOS configuration in CLI format.
- Device Documentation in Markdown format.
Tasks:
- Include device structured configuration that was previously generated.
- Generate EOS configuration in CLI format.
- Generate Device Documentation in Markdown format.
Requirements¶
Requirements are located here: avd-requirements
Extensibility with Custom Templates¶
- Custom templates can be added below the playbook directory.
- If a location above the directory is desired, a symbolic link can be used.
-
Example under the
playbooks
directory create symbolic link with the following command:
- The output will be rendered at the end of the configuration.
- The order of custom templates in the list can be important if they overlap.
- It is recommenended to use a
!
delimiter at the top of each custom template.
Add custom template to group/host variables:
custom_templates:
- < template 1 relative path below playbook directory >
- < template 2 relative path below playbook directory >
Input Variables¶
- The input variables are documented inline within yaml formatted output with: “< >”
- Variables are organized in order of how they appear in the CLI syntax.
- Available features and variables may vary by platforms, refer to documentation on arista.com for specifics.
- All values are optional.
ACLs¶
IP Extended Access-Lists¶
AVD currently supports 2 different data models for extended ACLs:
- The legacy
access_lists
data model, for compatibility with existing deployments - The improved
ip_access_lists
data model, for access to more EOS features
Both data models can coexist without conflicts, as different keys are used: access_lists
vs ip_access_lists
.
Access list names must be unique.
The legacy data model supports simplified ACL definition with sequence_number
to action_string
mapping:
access_lists:
< access_list_name_1 >:
counters_per_entry: < true | false >
sequence_numbers:
< sequence_id_1 >:
action: "< action as string >"
< sequence_id_2 >:
action: "< action as string >"
< access_list_name_2 >:
counters_per_entry: < true | false >
sequence_numbers:
< sequence_id_1 >:
action: "< action as string >"
The improved data model has a more sophisticated design documented below:
ip_access_lists:
- name: "< access list name as string >"
counters_per_entry: < true | false >
entries:
# remark entry
- sequence: < acl entry sequence number > # optional
# NOTE: if remark is defined, other keys in acl entry will be ignored
remark: "< Comment, up to 100 characters >"
# normal entry
- sequence: < acl entry sequence number > # optional
action: "< permit | deny >" # required
protocol: "< ip | tcp | udp | icmp | other protocol name or number >" # required
# NOTE: A.B.C.D without a mask means host
source: "< any | A.B.C.D/E | A.B.C.D >" # required
source_ports_match: "< eq | gt | lt | neq | range | default -> eq >"
source_ports: ["< tcp/udp port name or number >",] # optional
# NOTE: A.B.C.D without a mask means host
destination: "< any | A.B.C.D/E | A.B.C.D >" # required
destination_ports_match: "< eq | gt | lt | neq | range| default -> eq >"
destination_ports: ["< tcp/udp port name or number >",] # optional
tcp_flags: ["< tcp flag name >",] # optional
fragments: < true | false > # optional, match non-head fragment packets
log: < true | false > # optional, log matches against this rule
ttl: < <0-254> TTL value > # optional
ttl_match: "< eq | gt | lt | neq| default -> eq >" # optional
icmp_type: "< Message type name/number for ICMP packets >" # optional
icmp_code: "< Message code for ICMP packets >" # optional
nexthop_group: "< nexthop-group name >" # optional
tracked: < true | false > # optional, match packets in existing ICMP/UDP/TCP connections
dscp: "< DSCP value or name >" # optional
vlan_number: < vlan number > # optional
vlan_inner: < true | false| default -> false > # optional
vlan_mask: "< 0x000-0xFFF Vlan mask >" # optional
The improved data model allows to limit the number of ACL entries that AVD is allowed to generate by defining ip_access_lists_max_entries
.
Only normal entries under ip_access_lists
will be counted, remarks will be ignored.
If the number is above the limit, the playbook will fail. This provides a simplified control over hardware utilization.
The numbers must be based on the hardware tests and AVD does not provide any guidance. Note that other EOS features may use the same hardware resources and affect the supported scale.
IPv6 Standard Access-Lists¶
ipv6_standard_access_lists:
< ipv6_access_list_name_1 >:
counters_per_entry: < true | false >
sequence_numbers:
< sequence_id_1 >:
action: "< action as string >"
< sequence_id_2 >:
action: "< action as string >"
< ipv6_access_list_name_2 >:
sequence_numbers:
< sequence_id_1 >:
action: "< action as string >"
IP Standard Access-Lists¶
standard_access_lists:
< access_list_name_1 >:
counters_per_entry: < true | false >
sequence_numbers:
< sequence_id_1 >:
action: "< action as string >"
< sequence_id_2 >:
action: "< action as string >"
< access_list_name_2 >:
sequence_numbers:
< sequence_id_1 >:
action: "< action as string >"
IPv6 Extended Access-Lists¶
ipv6_access_lists:
< ipv6_access_list_name_1 >:
counters_per_entry: < true | false >
sequence_numbers:
< sequence_id_1 >:
action: "< action as string >"
< sequence_id_2 >:
action: "< action as string >"
< ipv6_access_list_name_2 >:
sequence_numbers:
< sequence_id_1 >:
action: "< action as string >"
MAC Access-Lists¶
mac_access_lists:
- name: < mac_access_list_name_1 >
counters_per_entry: < true | false >
entries:
- sequence: < sequence_id_1 >
action: "< action as string >"
- sequence: < sequence_id_2 >
action: "< action as string >"
- name: < mac_access_list_name_2 >
entries:
- sequence: < sequence_id_1 >
action: "< action as string >"
Aliases¶
Authentication¶
AAA Authentication¶
aaa_authentication:
login:
default: < group group_name | local | none > < group group_name | local | none >
console: < group group_name | local | none > < group group_name | local | none >
enable:
default: < group group_name | local | none > < group group_name | local | none >
dot1x:
default: < group group_name >
policies:
on_failure_log: < true | false >
on_success_log: < true | false >
local:
allow_nopassword: < false | true >
lockout:
failure: < 1-255 >
duration: < 1-4294967295 >
window: < 1-4294967295 >
AAA Authorization¶
aaa_authorization:
exec:
default: < group group_name | local | none > < group group_name | local | none >
config_commands: < true | false >
serial_console: < true | false >
commands:
all_default: < group group_name | local | none > < group group_name | local | none >
privilege:
- level: < privilege level(s) 0-15 >
default: < group group_name | local | none > < group group_name | local | none >
AAA Accounting¶
aaa_accounting:
exec:
console:
type: < none | start-stop | stop-only >
group: < group_name >
default:
type: < none | start-stop | stop-only >
group: < group_name >
system:
default:
type: < none | start-stop | stop-only >
group: < group_name >
commands:
console:
- commands: < all | 0-15 >
type: < none | start-stop | stop-only >
group: < group_name >
logging: < true | false >
- commands: < all | 0-15 >
type: < none | start-stop | stop-only >
group: < group_name >
logging: < true | false >
default:
- commands: < all | 0-15 >
type: < none | start-stop | stop-only >
group: < group_name >
logging: < true | false >
- commands: < all | 0-15 >
type: < none | start-stop | stop-only >
group: < group_name >
logging: < true | false >
AAA Root¶
AAA Server Groups¶
aaa_server_groups:
- name: < server_group_name >
type: < tacacs+ | radius | ldap >
servers:
- server: < server1_ip_address >
vrf: < vrf_name >
- server: < server1_ip_address >
vrf: < vrf_name >
- name: < server_group_name >
type: < tacacs+ | radius | ladp >
servers:
- server: < host1_ip_address >
CVX¶
CVX server features are not supported on physical switches. See management_cvx
for client configurations.
cvx:
shutdown: < true | false >
services:
mcs:
redis:
password: < password >
password_type: < 0 | 7 | 8a | default -> 7 >
shutdown: < true | false >
peer_hosts:
- < IP address or hostname >
Enable Password¶
IP RADIUS Source Interfaces¶
ip_radius_source_interfaces:
- name: < interface_name_1 >
vrf: < vrf_name_1 >
- name: < interface_name_2 >
vrf: < vrf_name_2 >
IP TACACS+ Source Interfaces¶
ip_tacacs_source_interfaces:
- name: <interface_name_1 >
vrf: < vrf_name_1 >
- name: <interface_name_2 >
Local Users¶
local_users:
< user_1 >:
disabled: < true | false | default -> false >
privilege: < 0-15 >
role: < role >
sha512_password: "< sha_512_password >"
no_password: < true | do not configure a password for given username. sha512_password MUST not be defined for this user. >
ssh_key: "< ssh_key_string >"
< user_2 >:
disabled: < true | false | default -> false >
privilege: < 0-15 >
role: < role >
sha512_password: "< sha_512_password >"
no_password: < true | do not configure a password for given username. sha512_password MUST not be defined for this user. >
ssh_key: "< ssh_key_string >"
Roles¶
roles:
- name: < role_name >
sequence_numbers:
- sequence: < sequence_number_1 >
action: < permit | deny >
mode: < "config" | "config-all" | "exec" | "<mode>" >
command: < command as string >
- sequence: < sequence_number_2 >
action: < permit | deny >
mode: < "config" | "config-all" | "exec" | "<mode>" >
command: < command as string >
Radius Servers¶
Tacacs+ Servers¶
tacacs_servers:
hosts:
- host: < host1_ip_address >
vrf: < vrf_name >
key: < encrypted_key >
key_type: < 0 | 7 | 8a | default -> 7 >
single_connection: < true | false >
- host: < host2_ip_address >
key: < encrypted_key >
timeout: < timeout in seconds >
policy_unknown_mandatory_attribute_ignore: < true | false >
Endpoint Security¶
Global 802.1x Authentication¶
dot1x:
system_auth_control: < true | false >
protocol_lldp_bypass: < true | false >
dynamic_authorization: < true | false >
Banners¶
Router BFD¶
router_bfd:
interval: < rate in milliseconds >
min_rx: < rate in milliseconds >
multiplier: < 3-50 >
multihop:
interval: < rate in milliseconds >
min_rx: < rate in milliseconds >
multiplier: < 3-50 >
sbfd:
local_interface:
name: < interface name >
protocols:
ipv4: < true | false >
ipv6: < true | false >
initiator_interval: < rate in milliseconds >
initiator_multiplier: < 3-50 >
reflector:
min_rx: < rate in milliseconds >
local_discriminator: < IPv4_address | u32 format >
DHCP Relay¶
EOS CLI¶
# EOS CLI rendered directly on the root level of the final EOS configuration
eos_cli: |
< multiline eos cli >
Errdisable¶
errdisable:
detect:
causes:
- acl
- arp-inspection
- dot1x
- link-change
- tapagg
- xcvr-misconfigured
- xcvr-overheat
- xcvr-power-unsupported
- xcvr-unsupported
recovery:
causes:
- arp-inspection
- bpduguard
- dot1x
- hitless-reload-down
- lacp-rate-limit
- link-flap
- no-internal-vlan
- portchannelguard
- portsec
- speed-misconfigured
- tapagg
- uplink-failure-detection
- xcvr-misconfigured
- xcvr-overheat
- xcvr-power-unsupported
- xcvr-unsupported
interval: < seconds | default = 300 >
Filters¶
Dynamic Prefix Lists¶
dynamic_prefix_lists:
- name: < dynamic_prefix_list_name >
match_map: < route_map >
prefix_list:
ipv4: < ipv4_prefix_list >
- name: < dynamic_prefix_list_name >
match_map: < route_map >
prefix_list:
ipv6: < ipv6_prefix_list >
- name: < dynamic_prefix_list_name >
match_map: < route_map >
prefix_list:
ipv4: < ipv4_prefix_list >
ipv6: < ipv6_prefix_list >
Prefix Lists¶
prefix_lists:
< prefix_list_name_1 >:
sequence_numbers:
< sequence_id_1 >:
action: "< action as string >"
< sequence_id_2 >:
action: "< action as string >"
< prefix_list_name_2 >:
sequence_numbers:
< sequence_id_1 >:
action: "< action as string >"
IPv6 Prefix Lists¶
ipv6_prefix_lists:
< ipv6_prefix_list_name_1 >:
sequence_numbers:
< sequence_id_1 >:
action: "< action as string >"
< sequence_id_2 >:
action: "< action as string >"
< ipv6_prefix_list_name_2 >:
sequence_numbers:
< sequence_id_1 >:
action: "< action as string >"
Community Lists¶
AVD supports 2 different data models for community lists:
- The legacy
community_lists
data model that can be used for compatibility with the existing deployments. - The improved
ip_community_lists
data model.
Both data models can coexist without conflicts, as different keys are used: community_lists
vs ip_community_lists
.
Community list names must be unique.
The legacy data model supports simplified community list definition that only allows a single action to be defined as string:
community_lists:
< community_list_name_1 >:
action: "< action as string >"
< community_list_name_2 >:
action: "< action as string >"
The improved data model has a better design documented below:
ip_community_lists:
- name: "<ip community list name as string>" # mandatory
entries:
- action: "< permit | deny >" # required
# communities and regexp MUST not be configured together in the same entry
# possible community strings are (case insensitive):
# - GSHUT
# - internet
# - local-as
# - no-advertise
# - no-export
# - <1-4294967040>
# - aa:nn
communities: [ "< a_community as string >", "< another_community as string >", ... ] # optional, if defined - standard community list will be configured
regexp: "< regular expression >" # if defined, regex community list will be configured
IP Extended Community Lists¶
ip_extcommunity_lists:
< community_list_name_1 >:
- type: < permit | deny >
extcommunities: "< communities as string >"
< community_list_name_2 >:
- type: < permit | deny >
extcommunities: "< communities as string >"
IP Extended Community Lists RegExp¶
ip_extcommunity_lists_regexp:
< community_list_name >:
- type: < permit | deny >
regexp: "< string >"
Peer Filters¶
peer_filters:
< peer_filter_name_1:
sequence_numbers:
< sequence_id_1 >:
match: "< match as string >"
< sequence_id_2 >:
match: "< match as string >"
< peer_filter_name_2:
sequence_numbers:
< sequence_id_1 >:
match: "< match as string >"
Route Maps¶
route_maps:
< route_map_name_1 >:
sequence_numbers:
< sequence_id_1 >:
type: < permit | deny >
description: < description >
match:
- "< match rule 1 as string >"
- "< match rule 2 as string >"
set:
- "< set as string >"
sub_route_map: < sub-route-map name >
continue:
enabled: < true | false >
sequence_number: < integer >
< sequence_id_2 >:
type: < permit | deny >
match:
- "< match as string >"
< route_map_name_2 >:
sequence_numbers:
< sequence_id_1 >:
type: < permit | deny >
description: < description >
set:
- "< set rule 1 as string >"
- "< set rule 2 as string >"
Match Lists¶
match_list_input:
string:
< match_list_1 >:
sequence_numbers:
< sequence_id 1 >:
match_regex: < match string >
AS Path¶
as_path:
regex_mode: < asn | string >
access_lists:
- name: < access_list_name_1 >
entries:
- type: < permit | deny >
match: "< regex to match >"
origin: < "any" | "egp" | "igp" | "incomplete" | default -> "any" >
Flow Tracking¶
flow_trackings:
# Only 'sampled' is supported for type
- type: < "sampled" >
sample: < 1-4294967295 >
trackers:
- name: < tracker_name >
record_export:
on_inactive_timeout: < 3000-900000 >
on_interval: < 1000-36000000 >
mpls: < true | false >
exporters:
- name: < exporter_name >
collector:
host: < collector_ip_or_hostname >
port: < 1-65535 >
format:
# Note that platforms only support 10 today
ipfix_version: < ipfix_version as integer >
local_interface: < local_interface_name >
template_interval: < 5000-3600000 >
shutdown: < true | false >
Generate Device Documentation¶
Generate Default Config¶
The generate_default_config
knob allows to omit default EOS configuration.
This can be useful when leveraging eos_cli_config_gen
to generate configlets with CloudVision.
The following commands will be omitted when generate_default_config
is set to false
:
- RANCID Content Type
- Hostname
- Default configuration for
aaa
- Default configuration for
enable password
- Transceiver qsfp default mode
- End of configuration delimiter
Hardware¶
Hardware Counters¶
hardware_counters:
features:
- <feature_1>: < direction | in | out >
- <feature_1>: < direction | in | out >
Hardware TCAM Profiles¶
tcam_profile:
system: < tcam profile name to activate >
profiles:
< tcam_profile 01 >: "{{ lookup('file', '< path to TCAM profile using EOS syntax >') }}"
Platform¶
platform:
trident:
forwarding_table_partition: < partition >
# Most of the platform sand options are hardware dependant and optional
sand:
# The traffic-class to network-qos mappings must be unique
qos_maps:
- traffic_class: < 0-7 >
to_network_qos: < 0-63 >
lag:
hardware_only: < true | false >
mode: < mode >
forwarding_mode: < petraA | arad >
multicast_replication:
default: ingress
Redundancy¶
Speed-Group Settings¶
hardware:
access_list:
mechanism: < algomatch | none | tcam >
speed_groups:
1:
serdes: < 10g | 25g >
2:
serdes: < 10g | 25g >
...
Interfaces¶
Ethernet Interfaces¶
Routed Ethernet Interfaces¶
# Routed Interfaces
ethernet_interfaces:
<Ethernet_interface_1 >:
description: < description >
shutdown: < true | false >
speed: < interface_speed | forced interface_speed | auto interface_speed >
mtu: < mtu >
# l3dot1q and l2dot1q are used for sub-interfaces.
# The parent interface should be defined as routed.
type: < routed | switched | l3dot1q | l2dot1q >
snmp_trap_link_change: < true | false >
vrf: < vrf_name >
flow_tracker:
sampled: < flow_tracker_name >
error_correction_encoding:
enabled: < true | false | default -> true >
fire_code: < true | false >
reed_solomon: < true | false >
link_tracking_groups:
- name: < group_name >
direction: < upstream | downstream >
encapsulation_dot1q_vlan: < vlan tag to configure on sub-interface >
encapsulation_vlan:
client:
dot1q:
vlan: < Client VLAN ID >
outer: < Client Outer VLAN ID >
inner: < Client Inner VLAN ID >
unmatched: < true | false >
# network encapsulation is all optional, and skipped if using client unmatched.
network:
dot1q:
vlan: < Network VLAN ID >
outer: < Network Outer VLAN ID >
inner: < Network Inner VLAN ID >
client: < true | false >
vlan_id: < 1-4094 >
ip_address: < IPv4_address/Mask >
ip_address_secondaries:
- < IPv4_address/Mask >
- < IPv4_address/Mask >
ip_helpers:
< ip_helper1 >:
source_interface: < source_interface_name >
vrf: < vrf_name >
< ip_helper2 >:
source_interface: < source_interface_name >
vrf: < vrf_name >
ipv6_enable: < true | false >
ipv6_address: < IPv6_address/Mask >
ipv6_address_link_local: < link_local_IPv6_address/Mask >
ipv6_nd_ra_disabled: < true | false >
ipv6_nd_managed_config_flag: < true | false >
ipv6_nd_prefixes:
< IPv6_address_1/Mask >:
valid_lifetime: < infinite or lifetime in seconds >
preferred_lifetime: < infinite or lifetime in seconds >
no_autoconfig_flag: < true | false >
< IPv6_address_2/Mask >:
access_group_in: < access_list_name >
access_group_out: < access_list_name >
ipv6_access_group_in: < ipv6_access_list_name >
ipv6_access_group_out: < ipv6_access_list_name >
mac_access_group_in: < mac_access_list_name >
mac_access_group_out: < mac_access_list_name >
multicast:
# boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both
ipv4:
boundaries:
- boundary: < acl_name | multicast_ip_subnet >
out: < true | false >
static: < true | false >
ipv6:
boundaries:
- boundary: < acl_name | multicast_ip_subnet >
static: < true | false >
ospf_network_point_to_point: < true | false >
ospf_area: < ospf_area >
ospf_cost: < ospf_cost >
ospf_authentication: < none | simple | message-digest >
ospf_authentication_key: "< encrypted_password >"
ospf_message_digest_keys:
< id >:
hash_algorithm: < md5 | sha1 | sha 256 | sha384 | sha512 >
key: "< encrypted_password >"
pim:
ipv4:
dr_priority: < 0-429467295 >
sparse_mode: < true | false >
mac_security:
profile: < profile >
isis_enable: < ISIS Instance >
isis_passive: < boolean >
isis_metric: < integer >
isis_network_point_to_point: < boolean >
isis_circuit_type: < level-1-2 | level-1 | level-2 >
isis_hello_padding: < true | false >
isis_authentication_mode: < text | md5 >
isis_authentication_key: < type-7 encrypted password >
ptp:
enable: < true | false >
announce:
interval: < integer >
timeout: < integer >
delay_req: < integer >
delay_mechanism: < e2e | p2p >
sync_message:
interval: < integer >
role: < master | dynamic >
vlan: < all | list of vlans as string >
transport: < ipv4 | ipv6 | layer2 >
logging:
event:
link_status: < true | false >
congestion_drops: < true | false >
lldp:
transmit: < true | false >
receive: < true | false >
service_profile: < qos_profile >
shape:
rate: < "< rate > kbps" | "1-100 percent" | "< rate > pps" , supported options are platform dependent >
qos:
trust: < dscp | cos | disabled >
dscp: < dscp-value >
cos: < cos-value >
priority_flow_control:
enabled: < true | false >
priorities:
- priority: < 0-7 >
no_drop: < true | false >
bfd:
echo: < true | false >
interval: < rate in milliseconds >
min_rx: < rate in milliseconds >
multiplier: < 3-50 >
service_policy:
pbr:
input: < policy-map name >
mpls:
ip: < true | false >
ldp:
interface: < true | false >
igp_sync: < true | false >
lacp_timer:
mode: < fast | normal >
multiplier: < 3 - 3000 >
transceiver:
media:
override: < transceiver_type >
ip_proxy_arp: < true | false >
traffic_policy:
input: < ingress traffic policy >
output: < egress traffic policy >
# EOS CLI rendered directly on the ethernet interface in the final EOS configuration
eos_cli: |
< multiline eos cli >
Switched Ethernet Interfaces¶
# Switched Interfaces
ethernet_interfaces:
<Ethernet_interface_2 >:
description: < description >
shutdown: < true | false >
speed: < interface_speed | forced interface_speed | auto interface_speed >
mtu: < mtu >
l2_mtu: < l2-mtu - if defined this profile should only be used for platforms supporting the "l2 mtu" CLI >
vlans: "< list of vlans as string >"
# If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence
native_vlan: < native_vlan_number >
native_vlan_tag: < boolean | default -> false >
mode: < access | dot1q-tunnel | trunk | "trunk phone" >
phone:
trunk: < tagged | untagged >
vlan: < 1-4094 >
trunk_groups:
- < trunk_group_name_1 >
- < trunk_group_name_2 >
l2_protocol:
encapsulation_dot1q_vlan: < vlan number >
flow_tracker:
sampled: < flow_tracker_name >
error_correction_encoding:
enabled: < true | false | default -> true >
fire_code: < true | false >
reed_solomon: < true | false >
link_tracking_groups:
- name: < group_name >
direction: < upstream | downstream >
evpn_ethernet_segment:
identifier: < EVPN Ethernet Segment Identifier (Type 1 format) >
redundancy: < all-active | single-active >
designated_forwarder_election:
algorithm: < modulus | preference >
# preference_value and dont_preempt are set for preference algorithm and are optional
preference_value: < 0-65535 >
dont_preempt: < true | false | default -> false >
hold_time: < integer >
subsequent_hold_time: < integer >
candidate_reachability_required: < true | false >
mpls:
shared_index: < 1-1024 >
tunnel_flood_filter_time: < integer >
route_target: < EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx >
snmp_trap_link_change: < true | false >
flowcontrol:
received: < "desired" | "send" | "on" >
mac_security:
profile: < profile >
channel_group:
id: < Port-Channel_id >
mode: < "on" | "active" | "passive" >
qos:
trust: < dscp | cos | disabled >
dscp: < dscp-value >
cos: < cos-value >
spanning_tree_bpdufilter: < "enabled" | true | "disabled" >
spanning_tree_bpduguard: < "enabled" | true | "disabled" >
spanning_tree_guard: < loop | root | disabled >
spanning_tree_portfast: < edge | network >
vmtracer: < true | false >
ptp:
enable: < true | false >
announce:
interval: < integer >
timeout: < integer >
delay_req: < integer >
delay_mechanism: < e2e | p2p >
sync_message:
interval: < integer >
role: < master | dynamic >
vlan: < all | list of vlans as string >
transport: < ipv4 | ipv6 | layer2 >
service_profile: < qos_profile >
profile: < interface_profile >
shape:
rate: < "< rate > kbps" | "1-100 percent" | "< rate > pps" , supported options are platform dependent >
storm_control:
all:
level: < Configure maximum storm-control level >
unit: < percent* | pps (optional and is hardware dependant - default is percent)>
broadcast:
level: < Configure maximum storm-control level >
unit: < percent* | pps (optional and is hardware dependant - default is percent)>
multicast:
level: < Configure maximum storm-control level >
unit: < percent* | pps (optional and is hardware dependant - default is percent) >
unknown_unicast:
level: < Configure maximum storm-control level >
unit: < percent* | pps (optional and is hardware dependant - default is percent)>
bfd:
echo: < true | false >
interval: < rate in milliseconds >
min_rx: < rate in milliseconds >
multiplier: < 3-50 >
lacp_timer:
mode: < fast | normal >
multiplier: < 3 - 3000 >
lacp_port_priority: < 0-65535 >
lldp:
transmit: < true | false >
receive: < true | false >
ztp_vlan: < ztp vlan number >
trunk_private_vlan_secondary: < true | false >
pvlan_mapping: "< list of vlans as string >"
vlan_translations:
- from: < list of vlans as string (only one vlan if direction is "both") >
to: < vlan_id >
direction: < in | out | both | default -> both >
dot1x:
port_control: < "auto" | "force-authorized" | "force-unauthorized" >
port_control_force_authorized_phone: < true | false >
reauthentication: < true | false >
pae:
mode: < "authenticator" >
authentication_failure:
action: < "allow" | "drop" >
allow_vlan: < 1-4094 >
host_mode:
mode: < "multi-host" | "single-host" >
multi_host_authenticated: < true | false >
mac_based_authentication:
enabled: < true | false >
always: < true | false >
host_mode_common: < true | false >
timeout:
idle_host: < 10-65535 >
quiet_period: < 1-65535 >
reauth_period: < 60-4294967295 | server >
reauth_timeout_ignore: < true | false >
tx_period: < 1-65535 >
reauthorization_request_limit: < 1-10 >
traffic_policy:
input: < ingress traffic policy >
output: < egress traffic policy >
# EOS CLI rendered directly on the ethernet interface in the final EOS configuration
eos_cli: |
< multiline eos cli >
Interface Defaults¶
Switchport Default¶
switchport_default:
mode: < routed | access >
phone:
cos: < 0-7 >
trunk: < tagged | untagged >
vlan: < 1-4094 >
Interface Profiles¶
Loopback Interfaces¶
loopback_interfaces:
< Loopback_interface_1 >:
description: < description >
shutdown: < true | false >
vrf: < vrf_name >
ip_address: < IPv4_address/Mask >
ip_address_secondaries:
- < IPv4_address/Mask >
- < IPv4_address/Mask >
ipv6_enable: < true | false >
ipv6_address: < IPv6_address/Mask >
ip_proxy_arp: < true | false >
ospf_area: < ospf_area >
mpls:
ldp:
interface: < true | false >
# EOS CLI rendered directly on the loopback interface in the final EOS configuration
eos_cli: |
< multiline eos cli >
< Loopback_interface_2 >:
description: < description >
ip_address: < IPv4_address/Mask >
isis_enable: < ISIS Instance >
isis_passive: < boolean >
isis_metric: < integer >
isis_network_point_to_point: < boolean >
node_segment:
ipv4_index: < integer >
ipv6_index: < integer >
Port-Channel Interfaces¶
port_channel_interfaces:
< Port-Channel_interface_1 >:
description: < description >
logging:
event:
link_status: < true | false >
shutdown: < true | false >
vrf: < vrf_name >
vlans: "< list of vlans as string >"
# l3dot1q and l2dot1q are used for sub-interfaces.
# The parent interface should be defined as routed.
type: < routed | switched | l3dot1q | l2dot1q >
encapsulation_dot1q_vlan: < vlan tag to configure on sub-interface >
encapsulation_vlan:
client:
dot1q:
vlan: < Client VLAN ID >
outer: < Client Outer VLAN ID >
inner: < Client Inner VLAN ID >
unmatched: < true | false >
# network encapsulation is all optional, and skipped if using client unmatched.
network:
dot1q:
vlan: < Network VLAN ID >
outer: < Network Outer VLAN ID >
inner: < Network Inner VLAN ID >
client: < true | false >
vlan_id: < 1-4094 >
mode: < access | dot1q-tunnel | trunk | "trunk phone" >
# If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence
native_vlan: < native_vlan_number >
native_vlan_tag: < boolean | default -> false >
snmp_trap_link_change: < true | false >
link_tracking_groups:
- name: < group_name >
direction: < upstream | downstream >
phone:
trunk: < tagged | untagged >
vlan: < 1-4094 >
l2_protocol:
encapsulation_dot1q_vlan: < vlan number >
flow_tracker:
sampled: < flow_tracker_name >
mtu: < mtu >
mlag: < mlag_id >
trunk_groups:
- < trunk_group_name_1 >
- < trunk_group_name_2 >
lacp_fallback_timeout: <timeout in seconds, 0-300 (default 90) >
lacp_fallback_mode: < individual | static >
qos:
trust: < dscp | cos | disabled >
dscp: < dscp-value >
cos: < cos-value >
bfd:
echo: < true | false >
interval: < rate in milliseconds >
min_rx: < rate in milliseconds >
multiplier: < 3-50 >
service_policy:
pbr:
input: < policy-map name >
mpls:
ip: < true | false >
ldp:
interface: < true | false >
igp_sync: < true | false >
trunk_private_vlan_secondary: < true | false >
pvlan_mapping: "< list of vlans as string >"
vlan_translations:
- from: < list of vlans as string (only one vlan if direction is "both") >
to: < vlan_id >
direction: < in | out | both | default -> both >
shape:
rate: < "< rate > kbps" | "1-100 percent" | "< rate > pps" , supported options are platform dependent >
storm_control:
all:
level: < Configure maximum storm-control level >
unit: < percent* | pps (optional and is hardware dependant - default is percent)>
broadcast:
level: < Configure maximum storm-control level >
unit: < percent* | pps (optional and is hardware dependant - default is percent)>
multicast:
level: < Configure maximum storm-control level >
unit: < percent* | pps (optional and is hardware dependant - default is percent) >
unknown_unicast:
level: < Configure maximum storm-control level >
unit: < percent* | pps (optional and is hardware dependant - default is percent)>
ip_proxy_arp: < true | false >
isis_enable: < ISIS Instance >
isis_passive: < boolean >
isis_metric: < integer >
isis_network_point_to_point: < boolean >
isis_circuit_type: < level-1-2 | level-1 | level-2 >
isis_hello_padding: < true | false >
isis_authentication_mode: < text | md5 >
isis_authentication_key: < type-7 encrypted password >
traffic_policy:
input: < ingress traffic policy >
output: < egress traffic policy >
# EOS CLI rendered directly on the port-channel interface in the final EOS configuration
eos_cli: |
< multiline eos cli >
< Port-Channel_interface_2 >:
description: < description >
vlans: "< list of vlans as string >"
mode: < access | dot1q-tunnel | trunk | "trunk phone" >
evpn_ethernet_segment:
identifier: < EVPN Ethernet Segment Identifier (Type 1 format) >
redundancy: < all-active | single-active >
designated_forwarder_election:
algorithm: < modulus | preference >
# preference_value and dont_preempt are set for preference algorithm and are optional
preference_value: < 0-65535 >
dont_preempt: < true | false | default -> false >
hold_time: < integer >
subsequent_hold_time: < integer >
candidate_reachability_required: < true | false >
mpls:
shared_index: < 1-1024 >
tunnel_flood_filter_time: < integer >
route_target: < EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx >
# esi and rt to be deprecated in AVD 4.0, replaced by identifier and route_target under evpn_ethernet_segment.
# If both esi/rt and identifier/route_target are defined, new variables take precedence over old variables.
esi: < EVPN Ethernet Segment Identifier (Type 1 format) >
rt: < EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx >
lacp_id: < LACP ID with format xxxx.xxxx.xxxx >
< Port-Channel_interface_3 >:
description: < description >
vlans: "< list of vlans as string >"
type: < routed | switched | l3dot1q | l2dot1q >
mode: < access | dot1q-tunnel | trunk | "trunk phone" >
spanning_tree_bpdufilter: < "enabled" | true | "disabled" >
spanning_tree_bpduguard: < "enabled" | true | "disabled" >
spanning_tree_guard: < loop | root | disabled >
spanning_tree_portfast: < edge | network >
vmtracer: < true | false >
ptp:
enable: < true | false >
announce:
interval: < integer >
timeout: < integer >
delay_req: < integer >
delay_mechanism: < e2e | p2p >
sync_message:
interval: < integer >
role: < master | dynamic >
vlan: < all | list of vlans as string >
transport: < ipv4 | ipv6 | layer2 >
< Port-Channel_interface_4 >:
description: < description >
mtu: < mtu >
type: < routed | switched | l3dot1q | l2dot1q >
ip_address: < IP_address/mask >
ipv6_enable: < true | false >
ipv6_address: < IPv6_address/mask >
ipv6_address_link_local: < link_local_IPv6_address/mask >
ipv6_nd_ra_disabled: < true | false >
ipv6_nd_managed_config_flag: < true | false >
ipv6_nd_prefixes:
< IPv6_address_1/Mask >:
valid_lifetime: < infinite or lifetime in seconds >
preferred_lifetime: < infinite or lifetime in seconds >
no_autoconfig_flag: < true | false >
< IPv6_address_2/Mask >:
access_group_in: < access_list_name >
access_group_out: < access_list_name >
ipv6_access_group_in: < ipv6_access_list_name >
ipv6_access_group_out: < ipv6_access_list_name >
mac_access_group_in: < mac_access_list_name >
mac_access_group_out: < mac_access_list_name >
pim:
ipv4:
dr_priority: < 0-429467295 >
sparse_mode: < true | false >
service_profile: < qos_profile >
ospf_network_point_to_point: < true | false >
ospf_area: < ospf_area >
ospf_cost: < ospf_cost >
ospf_authentication: < none | simple | message-digest >
ospf_authentication_key: "< encrypted_password >"
ospf_message_digest_keys:
< id >:
hash_algorithm: < md5 | sha1 | sha 256 | sha384 | sha512 >
key: "< encrypted_password >"
Tunnel Interfaces¶
tunnel_interfaces:
- name: < interface_name >
description: < description >
shutdown: < true | false >
mtu: < 68-65535 >
vrf: < vrf_name >
ip_address: < ip_address >
ipv6_enable: < true | false >
ipv6_address: < ipv6_address >
access_group_in: < access_list_name >
access_group_out: < access_list_name >
ipv6_access_group_in: < access_list_name >
ipv6_access_group_out: < access_list_name >
tcp_mss_ceiling:
ipv4: < 64-65495 >
ipv6: < 64-65475 >
direction: < ingress | egress >
source_interface: < tunnel_source_interface_name >
destination: < tunnel_destination >
path_mtu_discovery: < true | false >
# EOS CLI rendered directly on the Tunnel interface in the final EOS configuration
eos_cli: |
< multiline eos cli >
VLAN Interfaces¶
vlan_interfaces:
< Vlan_id_1 >:
description: < description >
shutdown: < true | false >
vrf: < vrf_name >
arp_aging_timeout: < arp_timeout >
arp_cache_dynamic_capacity: < 0-4294967295 >
arp_gratuitous_accept: < true | false >
arp_monitor_mac_address: < true | false >
ip_proxy_arp: < true | false >
ip_directed_broadcast: < true | false >
ip_address: < IPv4_address/Mask >
ip_address_secondaries:
- < IPv4_address/Mask >
- < IPv4_address/Mask >
ip_virtual_router_addresses:
- < IPv4_address/Mask | IPv4_address >
- < IPv4_address/Mask | IPv4_address >
ip_address_virtual: < IPv4_address/Mask >
ip_address_virtual_secondaries:
- < IPv4_address/Mask >
- < IPv4_address/Mask >
ip_igmp: < true | false >
ip_helpers:
< ip_helper_address_1 >:
source_interface: < source_interface_name >
vrf: < vrf_name >
< ip_helper_address_2 >:
source_interface: < source_interface_name >
ipv6_enable: < true | false >
ipv6_address: < IPv6_address/Mask >
# The below "ipv6_address_virtual" key will be deprecated in AVD v4.0 in favor of the new "ipv6_address_virtuals"
# If both "ipv6_address_virtual" and "ipv6_address_virtuals" are set, all addresses will be configured
ipv6_address_virtual: < IPv6_address/Mask >
# The new "ipv6_address_virtuals" key support multiple virtual ip addresses.
ipv6_address_virtuals:
- < IPv6_address/Mask >
- < IPv6_address/Mask >
ipv6_address_link_local: < link_local_IPv6_address/Mask >
# The below "ipv6_virtual_router_address" key will be deprecated in AVD v4.0 - These should not be mixed with the new "ipv6_virtual_router_addresses" key below to avoid conflicts.
ipv6_virtual_router_address: < IPv6_address >
# New improved "VARPv6" data model to support multiple VARPv6 addresses.
ipv6_virtual_router_addresses:
- < IPv6_address >
- < IPv6_address >
ipv6_nd_ra_disabled: < true | false >
ipv6_nd_managed_config_flag: < true | false >
ipv6_nd_prefixes:
< IPv6_address_1/Mask >:
valid_lifetime: < infinite or lifetime in seconds >
preferred_lifetime: < infinite or lifetime in seconds >
no_autoconfig_flag: < true | false >
< IPv6_address_2/Mask >:
access_group_in: < access_list_name >
access_group_out: < access_list_name >
ipv6_access_group_in: < ipv6_access_list_name >
ipv6_access_group_out: < ipv6_access_list_name >
multicast:
# boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both
ipv4:
boundaries:
- boundary: < acl_name | multicast_ip_subnet >
out: < true | false >
source_route_export:
enabled: < true | false >
administrative_distance: < 1-255 >
static: < true | false >
ipv6:
boundaries:
- boundary: < acl_name | multicast_ip_subnet >
source_route_export:
enabled: < true | false >
administrative_distance: < 1-255 >
static: < true | false >
ospf_network_point_to_point: < true | false >
ospf_area: < ospf_area >
ospf_cost: < ospf_cost >
ospf_authentication: < none | simple | message-digest >
ospf_authentication_key: "< encrypted_password >"
ospf_message_digest_keys:
< id >:
hash_algorithm: < md5 | sha1 | sha 256 | sha384 | sha512 >
key: "< encrypted_password >"
pim:
ipv4:
dr_priority: < 0-429467295 >
sparse_mode: < true | false >
local_interface: < local_interface_name >
isis_enable: < ISIS Instance >
isis_passive: < boolean >
isis_metric: < integer >
isis_network_point_to_point: < boolean >
mtu: < mtu >
no_autostate: < true | false >
# New improved "vrrp" data model to support multiple IDs
vrrp_ids:
- id: < vrid >
priority_level: < instance_priority >
advertisement:
interval: < advertisement_interval>
preempt:
enabled: < true | false >
delay:
minimum: < integer >
reload: < integer >
timers:
delay:
reload: < integer >
tracked_object:
- name: < tracked_object_name_1 >
decrement: < decrement vrrp priority by 1-254 >
shutdown: < true | false >
- name: < tracked_object_name_2 >
decrement: < decrement vrrp priority by 1-254 >
shutdown: < true | false >
ipv4:
address: < virtual_ip_address >
version: < 2 | 3 >
ipv6:
address: < virtual_ip_address >
# The below "vrrp" keys will be deprecated in AVD v4.0 - These should not be mixed with the new "vrrp_ids" key above to avoid conflicts.
vrrp:
virtual_router: < virtual_router_id >
priority: < instance_priority >
advertisement_interval: < advertisement_interval>
preempt_delay_minimum: < minimum_preemption_delay >
ipv4: < virtual_ip_address >
ipv6: < virtual_ip_address >
ip_attached_host_route_export:
distance: < distance >
bfd:
echo: < true | false >
interval: < rate in milliseconds >
min_rx: < rate in milliseconds >
multiplier: < 3-50 >
service_policy:
pbr:
input: < policy-map name >
pvlan_mapping: "< list of vlans as string >"
# EOS CLI rendered directly on the VLAN interface in the final EOS configuration
eos_cli: |
< multiline eos cli >
< Vlan_id_2 >:
description: < description >
ip_address: < IPv4_address/Mask >
VxLAN Interface¶
vxlan_interface:
Vxlan1:
description: < description >
vxlan:
source_interface: < source_interface_name >
mlag_source_interface: < source_interface_name >
udp_port: < udp_port >
virtual_router_encapsulation_mac_address: < mlag-system-id | ethernet_address (H.H.H) >
bfd_vtep_evpn:
interval: < integer >
min_rx: < integer >
multiplier: < 3-50 >
prefix_list: < prefix_list >
qos:
# !!!Warning, only few hardware types with software version >= 4.26.0 support the below knobs to configure Vxlan DSCP mapping.
# For the Traffic Class to be derived based on the outer DSCP field of the incoming VxLan packet, the core ports must be in "DSCP Trust" mode.
dscp_propagation_encapsulation: < true | false >
map_dscp_to_traffic_class_decapsulation: < true | false >
vlans:
< vlan_id_1 >:
vni: < vni_id_1 >
multicast_group: < ip_multicast_group_address >
flood_vteps:
- < remote_vtep_1_ip_address >
- < remote_vtep_2_ip_address >
< vlan_id_2 >:
vni: < vni_id_2 >
multicast_group: < ip_multicast_group_address >
flood_vteps:
- < remote_vtep_1_ip_address >
- < remote_vtep_2_ip_address >
vrfs:
< vrf_name_1 >:
vni: < vni_id_3 >
multicast_group: < ip_multicast_group_address >
< vrf_name_2 >:
vni: < vni_id_4 >
multicast_group: < ip_multicast_group_address >
flood_vteps:
- < remote_vtep_1_ip_address >
- < remote_vtep_2_ip_address >
flood_vtep_learned_data_plane: < true | false >
# EOS CLI rendered directly on the Vxlan interface in the final EOS configuration
eos_cli: |
< multiline eos cli >
Internal VLAN Order¶
vlan_internal_order:
allocation: < ascending | descending >
range:
beginning: < vlan_id >
ending: < vlan_id >
IP DHCP Relay¶
IP ICMP Redirect¶
IP Hardware¶
IPv6 Hardware¶
LACP¶
lacp:
port_id:
range:
begin: < min_port >
end: < max_port >
rate_limit:
default: < true | false >
system_priority: < 0-65535 >
Link Tracking Groups¶
LLDP¶
lldp:
timer: < transmission_time >
timer_reinitialization: < re-init_time >
holdtime: < hold_time_period >
management_address: < all | ethernetN | loopbackN | managementN | port-channelN | vlanN >
vrf: < vrf_name >
receive_packet_tagged_drop: < true | false >
tlvs:
- name: < tlv name 1 >
transmit: < true | false >
- name: < tlv name 2 >
transmit: < true | false >
run: < true | false >
MCS client¶
mcs_client:
shutdown: < true | false >
cvx_secondary:
name: < name >
shutdown: < true | false >
server_hosts:
- < IP | hostname >
- < IP | hostname >
MACsec¶
mac_security:
license:
license_name: < license-name >
license_key: < license-number >
fips_restrictions: < true | false >
profiles:
< profile >:
cipher: < valid-cipher-string >
connection_keys:
"< connection_key >":
encrypted_key: "< encrypted_key >"
fallback: < true | false -> default >
mka:
key_server_priority: < 0 - 255 >
session:
rekey_period: < 30-100000 in seconds >
sci: < true | false >
l2_protocols:
ethernet_flow_control:
mode: < encrypt | bypass >
lldp:
mode: < bypass | bypass unauthorized >
Maintenance Mode¶
BGP Groups¶
bgp_groups:
< group_name >:
vrf: "< vrf_name >"
neighbors:
- "< ip_address >"
- "< ipv6_address >"
- "< peer_group_name >"
bgp_maintenance_profiles:
- < profile_name >
Interface Groups¶
interface_groups:
< group_name >:
interfaces:
- "< interface_or_interface_range >"
bgp_maintenance_profiles:
- "< profile_name >"
interface_maintenance_profiles:
- "< profile_name >"
Profiles and units¶
maintenance:
default_interface_profile: < interface_profile_1 >
default_bgp_profile: < bgp_profile_1 >
default_unit_profile: < unit_profile_1 >
interface_profiles:
< interface_profile_1 >:
rate_monitoring:
load_interval: < seconds >
threshold: < kbps >
shutdown:
max_delay: < seconds >
bgp_profiles:
< bgp_profile_1 >:
initiator:
route_map_inout: < route_map >
unit_profiles:
< unit_profile_1 >:
on_boot:
duration: < 300-3600 >
units:
< unit_name_1 >:
quiesce: < true | false >
profile: < unit_profile_1 >
groups:
bgp_groups:
- < bgp_group_1>
- < bgp_group_2>
interface_groups:
- < interface_group_1>
- < interface_group_2>
Management¶
Clock¶
DNS Domain¶
Domain Name Servers¶
Domain Lookup¶
Domain-List¶
Management Interfaces¶
management_interfaces:
< Management_interface_1 >:
description: < description >
shutdown: < true | false >
mtu: < mtu >
vrf: < vrf_name >
ip_address: < IPv4_address/Mask >
ipv6_enable: < true | false >
ipv6_address: < IPv6_address/Mask >
type: < oob | inband | default -> oob >
# For documentation purpose only
gateway: < IPv4 address of default gateway in management VRF >
ipv6_gateway: < IPv6 address of default gateway in management VRF >
mac_address: < MAC address >
Management HTTP¶
management_api_http:
enable_http: < true | false >
enable_https: < true | false >
https_ssl_profile: < SSL Profile Name >
default_services: < true | false >
enable_vrfs:
< vrf_name_1 >:
access_group: < Standard IPv4 ACL name >
ipv6_access_group: < Standard IPv6 ACL name >
< vrf_name_2 >:
access_group: < Standard IPv4 ACL name >
ipv6_access_group: < Standard IPv6 ACL name >
protocol_https_certificate:
# Both < certificate > and < private_key > must be defined for this feature to work
certificate: < Certificate >
private_key: < Private Key >
IP HTTP Client Source Interfaces¶
ip_http_client_source_interfaces:
- name: <interface_name_1>
vrf: <vrf_name_1>
- name: <interface_name_2>
vrf: <vrf_name_2>
Management GNMI¶
management_api_gnmi:
provider: < "eos-native" >
transport:
grpc:
- name: < transport_name >
ssl_profile: < SSL Profile Name >
# vrf is optional
vrf: < vrf_name >
# Per the GNMI specification, the default timestamp field of a notification message is set to be
# the time at which the value of the underlying data source changes or when the reported event takes place.
# In order to facilitate integration in legacy environments oriented around polling style operations,
# an option to support overriding the timestamp field to the send-time is available from EOS 4.27.0F.
notification_timestamp: < "send-time" | "last-change-time" >
ip_access_group: < acl_name >
# Below keys will be deprecated in AVD v4.0 - These should not be mixed with the new keys above.
enable_vrfs:
< vrf_name_1 >:
access_group: < Standard IPv4 ACL name >
< vrf_name_2 >:
access_group: < Standard IPv4 ACL name >
# Enable provider 'eos-native' to stream both OpenConfig and EOS native paths.
octa:
Management API Models¶
management_api_models:
providers:
- name: < sysdb | smash >
paths:
- path: < path1 >
disabled: < true | false | default -> false >
- path: < path2 >
- name: < provider2 >
paths:
- path: < path1 >
Management Console¶
Management CVX¶
management_cvx:
shutdown: < true | false >
# List of Hostname(s) or IP Address(es) of CVX server(s)
server_hosts:
- < IP | hostname >
- < IP | hostname >
source_interface: < interface name >
Management Defaults¶
Management Security¶
management_security:
entropy_source: < entropy_source >
password:
minimum_length: < 1-32 >
encryption_key_common: < true | false >
encryption_reversible: < aes-256-gcm >
ssl_profiles:
- name: <ssl_profile_1>
tls_versions: < list of allowed tls versions as string >
# cipher_list syntax follows the openssl cipher strings format
cipher_list: < column separated list of allowed ciphers as a string >
certificate:
file: < certificate filename >
key: < key filename >
- name: <ssl_profile_2>
tls_versions: < list of allowed tls versions as string >
Management SSH¶
management_ssh:
access_groups:
- name: < standard_acl_name_1 >:
- name: < standard_acl_name_2 >:
vrf: < vrf name >
ipv6_access_groups:
- name: < standard_acl_name_1 >:
- name: < standard_acl_name_2 >:
vrf: < vrf name >
idle_timeout: < 0-86400 in minutes >
cipher:
- < cipher1 >
- < cipher2 >
key_exchange:
- < method1 >
- < method2 >
mac:
- < mac_algorithm1 >
- < mac_algorithm2 >
hostkey:
server:
- < algorithm1 >
- < algorithm2 >
enable: < true | false >
connection:
limit: < 1-100 SSH Connections >
per_host: < 1-20 max sessions from a host >
vrfs:
< vrf_name_1 >:
enable: < true | false >
< vrf_name_2 >:
enable: < true | false >
log_level: < SSH daemon log level >
Management Tech-Support¶
management_tech_support:
policy_show_tech_support:
exclude_commands:
- command: < command_to_exclude >
# The supported values for type are platform dependent
type: < text | json | default -> text >
include_commands:
- command: < command_to_include >
IP SSH Client Source Interfaces¶
ip_ssh_client_source_interfaces:
- name: < interface_name_1 >
vrf: < vrf_name_1 | default -> "default" >
- name: < interface_name_2 >
vrf: < vrf_name_2 | default -> "default" >
NTP¶
ntp:
local_interface:
name: < source_interface >
vrf: < vrf_name >
servers:
- name: < IP | hostname >
burst: < true | false >
iburst: < true | false >
key: < 1 - 65535 >
local_interface: < source_interface >
maxpoll: < 3 - 17 (Logarithmic) >
minpoll: < 3 - 17 (Logarithmic) >
preferred: < true | false >
version: < 1 - 4 >
vrf: < vrf_name >
authenticate: <true | false >
authenticate_servers_only: < true | false >
authentication_keys:
- id: < key_identifier | 1-65534 >
hash_algorithm: < md5 | sha1 >
key: "< obfuscated_key >"
key_type: < 0 | 7 | 8a >
trusted_keys: "< list of trusted-keys as string ex. 10-12,15 >"
MPLS¶
mpls:
ip: < true | false >
ldp:
interface_disabled_default: < true | false >
router_id: < string >
shutdown: < true | false >
transport_address_interface: < interface_name >
Multi-Chassis LAG - MLAG¶
mlag_configuration:
domain_id: < domain_id_name >
heartbeat_interval: < milliseconds >
local_interface: < interface_name >
peer_address: < IPv4_address >
peer_address_heartbeat:
peer_ip: < IPv4_address >
vrf: < vrf_name >
dual_primary_detection_delay: < seconds >
dual_primary_recovery_delay_mlag: < 0 - 1000 >
dual_primary_recovery_delay_non_mlag: < 0 - 1000 >
peer_link: < Port-Channel_id >
reload_delay_mlag: < seconds >
reload_delay_non_mlag: < seconds >
Multicast¶
IP IGMP Snooping¶
ip_igmp_snooping:
globally_enabled: < true | false | default -> true >
robustness_variable: < 1-3 >
restart_query_interval: < int >
interface_restart_query: < int >
fast_leave: < true | false >
querier:
enabled: < true | false >
address: < IP_address >
query_interval: < int >
max_response_time: < 1-25 >
last_member_query_interval: < 1-25 >
last_member_query_count: < 1-3 >
startup_query_interval: < int >
startup_query_count: < 1-3 >
version: < 1-3 >
proxy: < true | false >
vlans:
< vlan_id >:
enabled: < true | false >
querier:
enabled: < true | false >
address: < IP_address >
query_interval: < int >
max_response_time: < 1-25 >
last_member_query_interval: < 1-25 >
last_member_query_count: < 1-3 >
startup_query_interval: < int >
startup_query_count: < 1-3 >
version: < 1-3 >
max_groups: < 0-65534 >
fast_leave: < true | false >
# Global proxy settings should be enabled before enabling per-vlan
proxy: < true | false >
globally_enabled
allows to activate or deactivate IGMP snooping for all vlans where vlans
allows user to activate / deactivate IGMP snooping per vlan.
Router Multicast¶
router_multicast:
ipv4:
counters:
rate_period_decay: < 0-600 > # in seconds, optional
routing: < true | false >
multipath: < none | deterministic | "deterministic color" | "deterministic router-id" >
software_forwarding: < kernel | sfe >
rpf:
routes:
- source_prefix: < IPv4 subnet / netmask >
destinations:
- nexthop: < nexthop_ip | interface_name >
distance: < 1 - 255 > # optional
vrfs:
- name: < vrf_name >
ipv4:
routing: < true | false >
Routing PIM Sparse Mode¶
router_pim_sparse_mode:
ipv4:
bfd: < true | false >
ssm_range: < range >
rp_addresses:
< rp_address_1 >:
groups:
< group_prefix_1/mask >:
< group_prefix_2/mask >:
access_lists:
- < access_list_name >
priority: < 0-255 >
hashmask: < 0-32 >
override: < true | false >
< rp_address_2 >:
anycast_rps:
< anycast_rp_address_1 >:
other_anycast_rp_addresses:
< ip_address_other_anycast_rp_1 >:
register_count: < register_count_nb >
vrfs:
- name: < vrf_name >
ipv4:
bfd: < true | false >
rp_addresses:
- address: < rp_address_1 >
groups:
- < group_prefix_1/mask >
- < group_prefix_2/mask >
access_lists:
- < access_list_name >
priority: < 0-255 >
hashmask: < 0-32 >
override: < true | false >
Monitoring¶
Daemon TerminAttr¶
daemon_terminattr:
# Address of the gRPC server on CloudVision
# TCP 9910 is used on on-prem
# TCP 443 is used on CV as a Service
cvaddrs: # For single cluster
- < ip/fqdn >:<port>
- < ip/fqdn >:<port>
- < ip/fqdn >:<port>
clusters: # For multiple cluster support
< cluster_name >:
cvaddrs:
- < ip/fqdn >:<port>
- < ip/fqdn >:<port>
- < ip/fqdn >:<port>
cvauth:
method: < "token" | "token-secure" | "key" >
key: < key >
token_file: < path | e.g. "/tmp/token" >
cvobscurekeyfile: < true | false >
cvproxy: < URL >
cvsourceip: < IP Address >
cvvrf: < vrf >
# Authentication scheme used to connect to CloudVision
cvauth:
method: < "token" | "token-secure" | "key" >
key: < key >
token_file: < path | e.g. "/tmp/token" >
# The default compression scheme when streaming to CloudVision is gzip since TerminAttr 1.6.1 and CVP 2019.1.0. There is no need to change the compression scheme.
# Encrypt the private key used for authentication to CloudVision
cvobscurekeyfile: < true | false >
# Proxy server through which CloudVision is reachable. Useful when the CloudVision server is hosted in the cloud.
# The expected form is http://[user:password@]ip:port, e.g.: 'http://arista:arista@10.83.12.78:3128'
# Available as of TerminAttr v1.13.0
cvproxy: < URL >
# set source IP address in case of in-band managament
cvsourceip: < IP Address >
# Name of the VRF to use to connect to CloudVision
cvvrf: < vrf >
# Stream states from EOS GNMI servers (Openconfig) to CloudVision
# Available as of TerminAttr v1.13.1
cvgnmi: < true | false >
# Disable AAA authorization and accounting. When setting this flag, all commands pushed
# from CloudVision are applied directly to the CLI without authorization
disable_aaa: < true | false >
# Set the gRPC server address, the default is 127.0.0.1:6042
grpcaddr: < string | e.g. "MGMT/0.0.0.0:6042" >
# gNMI read-only mode – Disable gnmi.Set()
grpcreadonly: < true | false >
# Exclude paths from Sysdb on the ingest side
ingestexclude: < string | e.g. "/Sysdb/cell/1/agent,/Sysdb/cell/2/agent" >
# Exclude paths from the shared memory table
smashexcludes: < string | e.g. "ale,flexCounter,hardware,kni,pulse,strata" >
# Enable log file collection; /var/log/messages is streamed by default if no path is set.
taillogs: < path | e.g. "/var/log/messages" >
# ECO DHCP Collector address or ECO DHCP Fingerprint listening addressin standalone mode (default "127.0.0.1:67")
ecodhcpaddr: < IPV4_address:port >
# Enable IPFIX provider (default true)
# This flag is enabled by default and does not have to be added to the daemon configuration.
ipfix: < true | false >
# ECO IPFIX Collector address to listen on to receive IPFIX packets (default "127.0.0.1:4739")
# This flag is enabled by default and does not have to be added to the daemon configuration
ipfixaddr: < IPV4_address:port >
# Enable sFlow provider (default true)
# This flag is enabled by default and does not have to be added to the daemon configuration
sflow: < true | false >
# ECO sFlow Collector address to listen on to receive sFlow packets (default "127.0.0.1:6343")
# This flag is enabled by default and does not have to be added to the daemon configuration
sflowaddr: < IPV4_address:port >
# Subscribe to dynamic device configuration from CloudVision (default false)
cvconfig: < true | false >
You can either provide a list of IPs/FQDNs to target on-premise Cloudvision cluster or use DNS name for your Cloudvision as a Service instance. Streaming to multiple clusters both on-prem and cloud service is supported.
Note For TerminAttr version recommendation and EOS compatibility matrix, please refer to the latest TerminAttr Release Notes which always contain the latest recommended versions and minimum required versions per EOS release.
Custom Daemons¶
daemons:
< daemon_name >:
exec: "< command to run as a daemon >"
enabled: "< true | false | default -> true >"
This will add a daemon to the eos configuration that is most useful when trying to run OpenConfig clients like ocprometheus
Connectivity Monitor¶
monitor_connectivity:
shutdown: < true | false >
interval: < probing_interval >
interface_sets:
- name: < interface_set >
# Interface range(s) should be of same type, Ethernet, Loopback, Management etc.
# Multiple interface ranges can be specified separated by ","
interfaces: < interface_or_interface_range(s) >
local_interfaces: < interface_set_name >
hosts:
- name: < host_name >
description: < description >
ip: < ipv4 >
local_interfaces: < interface_set_name >
url: < url >
vrfs:
- name: < vrf_name >
description: < description >
interface_sets:
- name: < interface_set >
interfaces: < interface_or_interface_range(s) >
local_interfaces: < interface_set_name >
hosts:
- name: < host_name >
description: < description >
ip: < ipv4 >
local_interfaces: < interface_set_name >
url: < url >
Event Handler¶
### Event Handler ###
event_handlers:
< event_handler_name >:
action_type: < Type of action. [bash, increment, log] >
action: < Command to execute >
delay: < Event-handler delay in seconds >
trigger: < Configure event trigger condition. Only supports on-logging >
regex: < Regular expression to use for searching log messages. Required for on-logging trigger >
asynchronous: < Set the action to be non-blocking. if unset, default is False >
Event Monitor¶
Load Interval¶
Logging¶
logging:
console: < "<severity_level>" | "disabled" >
monitor: < "<severity_level>" | "disabled" >
buffered:
size: < messages_nb (minimum of 10) >
level: < "<severity_level>" | "disabled" >
trap: < "<severity_level>" | "disabled" >
synchronous:
level: < "<severity_level>" | "disabled" | default --> critical >
format:
timestamp: < high-resolution | traditional |traditional year | traditional timezone | traditonal year timezone >
hostname: < fqdn | ipv4 >
sequence_numbers: < true | false >
facility: < syslog_facility_value >
source_interface: < source_interface_name >
vrfs:
< vrf_name >:
source_interface: < source_interface_name >
hosts:
< syslog_server_1 >:
protocol: < tcp | udp (default udp) >
ports:
- < custom_port_1 >
- < custom_port_2 >
< syslog_server_2 >:
ports:
- < custom_port_1 >
policy:
match:
match_lists:
< match_list >:
action: < discard >
Object Tracking¶
trackers:
- name: < tracked object name >
interface: < interface_name >
tracked_property: < property_to_track | default -> line-protocol >
Sflow¶
sflow:
sample: < sample_rate >
dangerous: < true | false >
polling_interval: < polling_interval_seconds >
vrfs:
<vrf_name_1>:
destinations:
< sflow_destination_ip_1>:
< sflow_destination_ip_2>:
port: < port_number >
# source and source_interface are mutually exclusive. If both are defined, source_interface takes precedence
source: < source_ip_address >
source_interface: < source_interface >
<vrf_name_2>:
destinations:
< sflow_destination_ip_1>:
source_interface: < source_interface >
destinations:
< sflow_destination_ip_1 >:
port: < port_number >
< sflow_destination_ip_2 >:
# source and source_interface are mutually exclusive. If both are defined, source_interface takes precedence
source: < source_ip_address >
source_interface: < source_interface >
extensions:
- name: <bgp | router | switch | tunnel >
enabled: < true | false >
interface:
disable:
default: < true | false >
run: < true | false >
hardware_acceleration:
enabled: < true | false >
sample: < sample_rate >
modules:
- name: < module name >
enabled: < true | false | default -> true >
SNMP Settings¶
snmp_server:
engine_ids:
local: < engine_id_in_hex >
remotes:
- id: < engine_id_in_hex >
address: < hostname_or_ip_of_remote_engine >
udp_port: < udp_port >
contact: < contact_name >
location: < location >
communities:
< community_name_1 >:
access: < ro | rw >
access_list_ipv4:
name: < acl_ipv4_name >
access_list_ipv6:
name: < acl_ipv6_name >
view: < view_name >
< community_name_2 >:
access: < ro | rw >
access_list_ipv4:
name: < acl_ipv4_name >
access_list_ipv6:
name: < acl_ipv6_name >
view: < view_name >
ipv4_acls:
- name: < ipv4-access-list >
vrf: < vrf >
- name: < ipv4-access-list >
ipv6_acls:
- name: < ipv6-access-list >
vrf: < vrf >
- name: < ipv6-access-list >
local_interfaces:
< interface_name_1 >:
vrf: < vrf_name >
< interface_name_2 >:
< interface_name_3 >:
vrf: < vrf_name >
views:
- name: < view_name >
MIB_family_name: < MIB_family_name >
included: < true | false >
- name: < view_name >
MIB_family_name: < MIB_family_name >
included: < true | false >
groups:
- name: < group_name >
version: < v1 | v2c | v3 >
authentication: < auth | noauth | priv >
read: < read_view >
write: < write_view >
notify: < notify_view >
- name: < group_name >
version: < v1 | v2c | v3 >
authentication: < auth | noauth | priv >
read: < read_view >
users:
- name: < username >
group: < group_name >
# remote_address and udp_port are used for remote users
remote_address: < hostname_or_ip_of_remote_engine >
# udp_port will not be used if no remote_address is configured
udp_port: < udp_port >
version: < v1 | v2c | v3 >
# For a local user (i.e. no remote_ip), use the local engine_id
# For a remote user, use the remote engine_id
localized: < engine_id_in_hex >
auth: < hash_algorithm >
auth_passphrase: < hashed_auth_passphrase if localized is used else cleartext auth_passphrase >
priv: < encryption_algorithm >
priv_passphrase: < hashed_priv_passphrase if localized is used else cleartext priv_passphrase >
- name: < username >
group: < group_name >
version: < v1 | v2c | v3 >
hosts:
- host: < host IP address or name >
vrf: < vrf_name >
version: < 1 | 2c | 3 >
community: < community_name >
users:
- username: < username >
authentication_level: < auth | noauth | priv >
- host: < host IP address or name >
vrf: < vrf_name >
community: < community_name >
users:
- username: < username >
authentication_level: < auth | noauth | priv >
traps:
# Enable or disable all snmp-traps
enable: < true | false | default -> false >
# Enable or disable specific snmp-traps and their sub_traps
snmp_traps:
- name: < snmp_trap_type | snmp_trap_type snmp_sub_trap_type >
enabled: < true | false | default -> true >
- name: < snmp_trap_type | snmp_trap_type snmp_sub_trap_type >
vrfs:
- name: < vrf_name >
enable: < true | false >
- name: < vrf_name >
enable: < true | false >
Monitor Sessions¶
monitor_sessions:
- name: < session_name_1 >
sources:
- name: < interface_name, range or comma separated list >
direction: < rx | tx | both >
access_group:
type: < ip | ipv6 | mac >
name: < acl_name >
priority: < priority >
destinations:
- < interface(s) | cpu >
encapsulation_gre_metadata_tx: < true | false >
header_remove_size: < bytes >
access_group:
type: < ip | ipv6 | mac >
name: < acl_name >
rate_limit_per_ingress_chip: < "<int> bps" | "<int> kbps" | "<int> mbps" >
rate_limit_per_egress_chip: < "<int> bps" | "<int> kbps" | "<int> mbps" >
sample: < integer >
truncate:
enabled: < true | false >
size: < bytes >
Tap Aggregation¶
tap_aggregation:
mode:
exclusive:
enabled: < true | false >
profile: < profile_name >
no-errdisable:
- < EthernetX | Port-ChannelX >
encapsulation_dot1br_strip: < true | false >
encapsulation_vn_tag_strip: < true | false >
protocol_lldp_trap: < true | false >
# Allowed truncation_size values vary depending on the platform
truncation_size: < size in bytes >
mac:
# mac.timestamp.replace_source_mac and mac.timestamp.header.format are mutually exclsuive. If both are defined, replace_source_mac takes precedence
timestamp:
replace_source_mac: < true | false >
header:
format: < "48-bit" | "64-bit" >
eth_type: < integer >
# mac_fcs_append and mac_fcs_error are mutually exclusive. If both are defined, mac_fcs_append takes precedence
fcs_append: < true | false >
fcs_error: < "correct" | "discard" | "pass-through" >
System Control-Plane¶
system:
control_plane:
tcp_mss:
ipv4: < Segment size >
ipv6: < Segment size >
ipv4_access_groups:
- acl_name: < access-list name >
vrf: < Optional vrf field >
ipv6_access_groups:
- acl_name: < access-list name >
vrf: < Optional vrf field >
VM Tracer Sessions¶
vmtracer_sessions:
< vmtracer_session_name_1 >:
url: < url >
username: < username >
password: "< encrypted_password >"
autovlan_disable: < true | false >
source_interface: < interface_name >
< vmtracer_session_name_2 >:
url: < url >
username: < username >
password: "< encrypted_password >"
Patch Panel¶
patch_panel:
patches:
- name: < name >
enabled: < true | false >
connectors:
# Must have exactly two connectors to a patch of which at least one must be of type "interface"
- id: < string or integer >
type: < interface | pseudowire >
endpoint: < interface_name | interface_name dot1q vlan 123 | bgp vpws TENANT_A pseudowire WPWS_PW_1 | ldp LDP_PW_1 >
- id: < string or integer >
type: < interface | pseudowire >
endpoint: < interface_name | interface_name dot1q vlan 123 | bgp vpws TENANT_A pseudowire WPWS_PW_1 | ldp LDP_PW_1 >
PTP¶
ptp:
mode: < boundary | transparent >
forward_unicast: < true | false >
clock_identity: < "clock-id in xx:xx:xx:xx:xx:xx format" >
source:
ip: < source-ip >
priority1: < 0-255 >
priority2: < 0-255 >
ttl: < 1-254 >
domain: < 0-255 >
message_type:
general:
dscp: < dscp-value >
event:
dscp: < dscp-value >
monitor:
enabled: < true | false | default -> true >
threshold:
offset_from_master: < 0-1000000000 >
mean_path_delay: < 0-1000000000 >
drop:
offset_from_master: < 0-1000000000 >
mean_path_delay: < 0-1000000000 >
missing_message:
intervals:
announce: < 2-255 >
follow_up: < 2-255 >
sync: < 2-255 >
sequence_ids:
enabled: < true | false | default -> false >
announce: < 2-255 >
delay_resp: < 2-255 >
follow_up: < 2-255 >
sync: < 2-255 >
Prompt¶
Quality of Services¶
QOS¶
qos:
map:
cos:
- "< cos_mapping_to_tc >"
- "< cos_mapping_to_tc >"
dscp:
- "< dscp_mapping_to_tc >"
- "< dscp_mapping_to_tc >"
traffic_class:
- "< tc_mapping_to_cos >"
- "< tc_mapping_to_dscp >"
- "< tc_mapping_to_tx_queue >"
rewrite_dscp: < true | false >
QOS Class-maps¶
class_maps:
pbr:
< class-map name >:
ip:
access_group: < Standard access-list name >
qos:
< class-map name >:
vlan: < VLAN value(s) or range(s) of VLAN values >
cos: < CoS value(s) or range(s) of CoS values >
ip:
access_group: < IPv4 access-list name >
ipv6:
access_group: < IPv6 access-list name >
QOS Policy-map¶
policy_maps:
pbr:
< policy-map name >:
classes:
< class name >:
index: < integer > # Optional
# Set only one of the below actions per class
drop: < true | false >
set:
nexthop:
ip_address: < IPv4_address | IPv6_address >
recursive: < true | false >
qos:
< policy-map name >:
classes:
< class name >:
set:
cos: < cos_value >
dscp: < dscp-code >
traffic_class: < traffic-class ID >
drop_precedence: < drop-precedence value >
QOS Profiles¶
# The below knobs are platform dependent
qos_profiles:
< profile-1 >:
trust: < dscp | cos | disabled >
cos: < cos-value >
dscp: < dscp-value >
shape:
rate: < "< rate > kbps" | "1-100 percent" | "< rate > pps" , supported options are platform dependent >
service_policy:
type:
qos_input: < policy_map_name >
tx_queues:
< tx-queue-id >:
bandwidth_percent: < value >
bandwidth_guaranteed_percent: < value >
priority: < "priority strict" | "no priority" >
shape:
rate: < "< rate > kbps" | "1-100 percent" | "< rate > pps" , supported options are platform dependent >
< tx-queue-id >:
bandwidth_percent: < value >
priority: < "priority strict" | "no priority" >
shape:
rate: < "< rate > kbps" | "1-100 percent" | "< rate > pps" , supported options are platform dependent >
uc_tx_queues:
< uc-tx-queue-id >:
bandwidth_percent: < value >
bandwidth_guaranteed_percent: < value >
priority: < "priority strict" | "no priority" >
shape:
rate: < "< rate > kbps" | "1-100 percent" | "< rate > pps" , supported options are platform dependent >
mc_tx_queues:
< mc-tx-queue-id >:
bandwidth_percent: < value >
bandwidth_guaranteed_percent: < value >
priority: < "priority strict" | "no priority" >
shape:
rate: < "< rate > kbps" | "1-100 percent" | "< rate > pps" , supported options are platform dependent >
< profile-2 >:
trust: < dscp | cos | disabled >
cos: < cos-value >
dscp: < dscp-value >
tx_queues:
< tx-queue-id >:
bandwidth_percent: < value >
priority: < "priority strict" | "no priority" >
< tx-queue-id >:
bandwidth_percent: < value >
priority: < "priority strict" | "no priority" >
Queue Monitor Length¶
queue_monitor_length:
# "enabled: true" will be required in AVD4.0. In AVD3.x default is true as long as queue_monitor_length is defined and not None
enabled: < true | false >
log: < seconds >
notifying: < true | false - should only be used for platforms supporting the "queue-monitor length notifying" CLI >
cpu:
thresholds:
# "high" threshold is mandatory
high: < integer >
low: < integer >
Queue Monitor Streaming¶
queue_monitor_streaming:
enable: < true | false >
ip_access_group: < access_list_name >
ipv6_access_group: < ipv6_access_list_name >
max_connections: < 1-100 >
vrf: < vrf_name >
Routing¶
ARP¶
Router Virtual MAC Address¶
IP Routing¶
IPv6 Routing¶
Router General configuration¶
router_general:
router_id:
ipv4: < IPv4_address >
ipv6: < IPv6_address >
nexthop_fast_failover: < true | false | default -> false >
vrfs:
< destination-vrf >:
leak_routes:
- source_vrf: < source-vrf >
subscribe_policy: < route-map policy >
- source_vrf: < source-vrf >
subscribe_policy: < route-map policy >
routes:
dynamic_prefix_lists:
- name: < dynamic_prefix_list_1 >
- name: < dynamic_prefix_list_2 >
Router BGP Configuration¶
router_bgp:
as: < bgp_as >
router_id: < IPv4_address >
distance:
external_routes: < 1-255 >
internal_routes: < 1-255 >
local_routes: < 1-255 >
graceful_restart:
enabled: < true | false >
restart_time: < 1-3600 >
stalepath_time: < 1-3600 >
# graceful-restart-help long-lived and restart-time are mutually exclusive in CLI
# restart-time will take precedence if both are configured.
graceful_restart_helper:
enabled: < true | false >
restart_time: < 1-100000000>
long_lived: < true | false >
maximum_paths:
paths: < 1-600 >
ecmp: < 1-600 >
updates:
wait_for_convergence: < true | false >
wait_install: < true | false >
bgp_cluster_id: < IPv4_address >
bgp_defaults:
- "< bgp command as string >"
- "< bgp command as string >"
bgp:
bestpath:
d_path: < true | false >
# New improved "listen_ranges" data model to support multiple listen ranges and additional filter capabilities
listen_ranges:
- prefix: < A.B.C.D/E | A:B:C:D:E:F:G:H/I >
# include router id as part of peer filter
peer_id_include_router_id: < true | false >
peer_group: < name of peer-group >
# peer_filter or remote_as is required but mutually exclusive. If both are defined, peer_filter takes precedence
peer_filter: < name of peer-filter >
remote_as: < remote ASN in plain or dot notation >
peer_groups:
< peer_group_name_1>:
type: < ipv4 | evpn >
remote_as: < bgp_as >
local_as: < bgp_as >
description: "< description as string >"
shutdown: < true | false >
# Remove private AS numbers in outbound AS path
remove_private_as:
enabled: < true | false >
all: < true | false >
replace_as: < true | false >
remove_private_as_ingress:
enabled: < true | false >
replace_as: < true | false >
peer_filter: < peer_filter >
next_hop_unchanged: < true | false >
update_source: < interface >
route_reflector_client: < true | false >
bfd: < true | false >
ebgp_multihop: < integer >
next_hop_self: < true | false >
password: "< encrypted_password >"
default_originate:
enabled: < true | false >
always: < true | false >
route_map: < route_map_name >
send_community: < standard | extended | large | all >
maximum_routes: < integer >
maximum_routes_warning_limit: < "<integer>" | "<0-100> percent" >
maximum_routes_warning_only: < true | false >
link_bandwidth:
enabled: < true | false >
default: < nn.nn(K|M|G) Link speed in bits/second >
allowas_in:
enabled: < true | false >
times: < 1-10 >
weight: < weight_value >
timers: < keepalive_hold_timer_values >
rib_in_pre_policy_retain:
enabled: < true | false >
all: < true | false >
route_map_in: < inbound route-map >
route_map_out: < outbound route-map >
< peer_group_name_2 >:
type: < ipv4 | evpn >
# "bgp_listen_range_prefix" and "peer_filter" will be deprecated in AVD v4.0
# These should not be mixed with the new `listen_ranges` key above to avoid conflicts.
bgp_listen_range_prefix: < IP prefix range >
peer_filter: < peer_filter >
password: "< encrypted_password >"
maximum_routes: < integer >
neighbors:
< IPv4_address_1 >:
peer_group: < peer_group_name >
remote_as: < bgp_as >
local_as: < bgp_as >
description: "< description as string >"
route_reflector_client: < true | false >
ebgp_multihop: < integer >
shutdown: < true | false >
# Remove private AS numbers in outbound AS path
remove_private_as:
enabled: < true | false >
all: < true | false >
replace_as: < true | false >
remove_private_as_ingress:
enabled: < true | false >
replace_as: < true | false >
update_source: < interface >
bfd: < true | false >
weight: < weight_value >
timers: < keepalive_hold_timer_values >
rib_in_pre_policy_retain:
enabled: < true | false >
all: < true | false >
route_map_in: < inbound route-map >
route_map_out: < outbound route-map >
default_originate:
enabled: < true | false >
always: < true | false >
route_map: < route_map_name >
send_community: < all | extended | large | standard >
maximum_routes: < integer >
maximum_routes_warning_limit: < "<integer>" | "<0-100> percent" >
maximum_routes_warning_only: < true | false >
link_bandwidth:
enabled: < true | false >
default: < nn.nn(K|M|G) Link speed in bits/second >
allowas_in:
enabled: < true | false >
times: < 1-10 >
< IPv4_address_2 >:
remote_as: < bgp_as >
next_hop_self: < true | false >
password: "< encrypted_password >"
< IPv6_address_1 >:
remote_as: < bgp_as >
neighbor_interfaces:
< interface >:
peer_group: < peer_group_name >
remote_as: < bgp_as >
peer_filter: <peer_filter>
aggregate_addresses:
< aggregate_address_1/mask >:
advertise_only: < true | false >
< aggregate_address_2/mask >:
< aggregate_address_3/mask >:
as_set: < true | false >
summary_only: < true | false >
attribute_map: < route_map_name >
match_map: < route_map_name >
advertise_only: < true | false >
redistribute_routes:
< route_type >:
route_map: < route_map_name >
< route_type >:
route_map: < route_map_name >
vlan_aware_bundles:
< vlan_aware_bundle_name_1 >:
rd: "< route distinguisher >"
rd_evpn_domain:
domain: < all | remote >
rd: "< route distinguisher >"
route_targets:
both:
- "< route_target >"
import:
- "< route_target >"
- "< route_target >"
export:
- "< route_target >"
- "< route_target >"
import_evpn_domains:
- domain: < all | remote >
route_target: "< route_target >"
export_evpn_domains:
- domain: < all | remote >
route_target: "< route_target >"
import_export_evpn_domains:
- domain: < all | remote >
route_target: "< route_target >"
redistribute_routes:
- < learned >
no_redistribute_routes:
- < host-route >
vlan: < vlan_range >
< vlan_aware_bundle_name_2 >:
rd: "< route distinguisher >"
route_targets:
both:
- "< route_target >"
import:
- "< route_target >"
- "< route_target >"
export:
- "< route_target >"
- "< route_target >"
import_evpn_domains:
- domain: < all | remote >
route_target: "< route_target >"
export_evpn_domains:
- domain: < all | remote >
route_target: "< route_target >"
redistribute_routes:
- < connected >
- < learned >
vlan: < vlan_range >
vlans:
< vlan_id_1>:
rd: "< route distinguisher >"
rd_evpn_domain:
domain: < all | remote >
rd: "< route distinguisher >"
route_targets:
both:
- "< route_target >"
import:
- "< route_target >"
- "< route_target >"
export:
- "< route_target >"
- "< route_target >"
import_evpn_domains:
- domain: < all | remote >
route_target: "< route_target >"
export_evpn_domains:
- domain: < all | remote >
route_target: "< route_target >"
import_export_evpn_domains:
- domain: < all | remote >
route_target: "< route_target >"
redistribute_routes:
- < connected >
- < learned >
no_redistribute_routes:
- < host-route >
< vlan_id_2 >:
rd: "< route distinguisher >"
route_targets:
import:
- "< route_target >"
- "< route_target >"
export:
- "< route_target >"
- "< route_target >"
redistribute_routes:
- < connected >
- < learned >
vpws:
- name: < vpws instance name >
rd: < route distinguisher >
route_targets:
import_export: < route target >
mpls_control_word: < true | false, Default -> false >
label_flow: < true | false, Default -> false >
mtu: < mtu >
pseudowires:
- name: < pseudowire name >
id_local: < integer, must match id_remote on other pe >
id_remote: < integer, must match id_local on other pe >
address_family_evpn:
domain_identifier: < string >
neighbor_default:
encapsulation: < vxlan | mpls >
next_hop_self_source_interface: < source interface >
next_hop_self_received_evpn_routes:
enable: < true | false >
inter_domain: < true | false >
peer_groups:
< peer_group_name >:
activate: < true | false >
route_map_in: < route_map_name >
route_map_out: < route_map_name >
domain_remote: < true | false >
evpn_hostflap_detection:
enabled: < true | false >
# Time in seconds
window: < integer >
# Minimum number of MAC moves that indicate a MAC Duplication issue
threshold: < integer >
# Timeout in seconds
expiry_timeout: < integer >
route:
import_match_failure_action: < 'discard' >
address_family_rtc:
peer_groups:
< peer_group_name >:
activate: < true | false >
default_route_target:
only: < true | false >
encoding_origin_as_omit:
address_family_ipv4:
networks:
< prefix_ipv4 >:
route_map: < route_map_name >
peer_groups:
< peer_group_name >:
route_map_in: < route_map_name >
route_map_out: < route_map_name >
activate: < true | false >
< peer_group_name >:
activate: < true | false >
prefix_list_in: < prefix_list_name >
prefix_list_out: < prefix_list_name >
default_originate:
always: < true | false >
route_map: < route_map_name >
next_hop:
address_family_ipv6_originate: < true | false >
neighbors:
< neighbor_ip_address>:
route_map_in: < route_map_name >
route_map_out: < route_map_name >
activate: < true | false >
prefix_list_in: < prefix_list_name >
prefix_list_out: < prefix_list_name >
< neighbor_ip_address>:
activate: < true | false >
default_originate:
always: < true | false >
route_map: < route_map_name >
address_family_ipv4_multicast:
peer_groups:
< peer_group_name >:
route_map_in: < route_map_name >
route_map_out: < route_map_name >
activate: < true | false >
< peer_group_name >:
activate: < true | false >
neighbors:
< neighbor_ip_address >:
route_map_in: < route_map_name >
route_map_out: < route_map_name >
activate: < true | false >
redistribute_routes:
< route_type >:
route_map: < route_map_name >
address_family_ipv6:
networks:
< prefix_ipv6 >:
route_map: < route_map_name >
peer_groups:
< peer_group_name >:
activate: < true | false >
route_map_in: < route_map_name >
route_map_out: < route_map_name >
prefix_list_in: < prefix_list_name >
prefix_list_out: < prefix_list_name >
< peer_group_name >:
activate: true
neighbors:
< neighbor_ip_address >:
route_map_in: < route_map_name >
route_map_out: < route_map_name >
prefix_list_in: < prefix_list_name >
prefix_list_out: < prefix_list_name >
activate: < true | false >
redistribute_routes:
< route_type >:
route_map: < route_map_name >
< route_type >:
route_map: < route_map_name >
address_family_vpn_ipv4:
domain_identifier: < string >
peer_groups:
< peer_group_name >:
activate: < true | false >
route_map_in: < route_map_name >
route_map_out: < route_map_name >
neighbors:
< neighbor_ip_address >:
activate: < true | false >
route_map_in: < route_map_name >
route_map_out: < route_map_name >
neighbor_default_encapsulation_mpls_next_hop_self:
source_interface: < interface >
route:
import_match_failure_action: < 'discard' >
address_family_vpn_ipv6:
domain_identifier: < string >
peer_groups:
< peer_group_name >:
activate: < true | false >
route_map_in: < route_map_name >
route_map_out: < route_map_name >
neighbors:
< neighbor_ip_address >:
activate: < true | false >
route_map_in: < route_map_name >
route_map_out: < route_map_name >
neighbor_default_encapsulation_mpls_next_hop_self:
source_interface: < interface >
route:
import_match_failure_action: < 'discard' >
vrfs:
< vrf_name_1 >:
rd: "< route distinguisher >"
evpn_multicast: < true | false >
# evpn_multicast_address_family requires evpn_multicast: true to be set
evpn_multicast_address_family:
ipv4:
transit: < true | false >
route_targets:
import:
< address_family >:
- "< route_target >"
- "< route_target >"
< address_family >:
- "< route_target >"
- "< route_target >"
export:
< address_family >:
- "< route_target >"
- "< route_target >"
router_id: < IPv4_address >
timers: < keepalive_hold_timer_values >
networks:
< prefix_ipv4 >:
route_map: < route_map_name >
# New improved "listen_ranges" data model to support multiple listen ranges and additional filter capabilities
listen_ranges:
- prefix: < A.B.C.D/E | A:B:C:D:E:F:G:H/I >
# include router id as part of peer filter
peer_id_include_router_id: < true | false >
peer_group: < name of peer-group >
# peer_filter or remote_as is required but mutually exclusive. If both are defined, peer_filter takes precedence
peer_filter: < name of peer-filter >
remote_as: < remote ASN in plain or dot notation >
neighbors:
< neighbor_ip_address >:
remote_as: < asn >
peer_group: < peer_group_name >
password: "< encrypted_password >"
# Remove private AS numbers in outbound AS path
remove_private_as:
enabled: < true | false >
all: < true | false >
replace_as: < true | false >
remove_private_as_ingress:
enabled: < true | false >
replace_as: < true | false >
weight: < weight_value >
local_as: < asn >
description: < description >
ebgp_multihop: < integer >
next_hop_self: < true | false >
bfd: < true | false >
timers: < keepalive_hold_timer_values >
rib_in_pre_policy_retain:
enabled: < true | false >
all: < true | false >
send_community: < standard | extended | large | all >
maximum_routes: < integer >
maximum_routes_warning_limit: < "<integer>" | "<0-100> percent" >
maximum_routes_warning_only: < true | false >
allowas_in:
enabled: < true | false >
times: < 1-10 >
default_originate:
always: < true | false >
route_map: < route_map_name >
update_source: < interface >
route_map_out: < route-map name >
route_map_in: < route-map name >
prefix_list_in: < prefix_list_name >
prefix_list_out: < prefix_list_name >
< neighbor_ip_address >:
remote_as: < asn >
description: < description >
next_hop_self: < true | false >
timers: < keepalive_hold_timer_values >
send_community: < standard | extended | large | all >
shutdown: < true | false >
neighbor_interfaces:
< interface >:
peer_group: < peer_group_name >
remote_as: < bgp_as >
peer_filter: <peer_filter>
redistribute_routes:
< route_type >:
route_map: < route_map_name >
< route_type >:
route_map: < route_map_name >
aggregate_addresses:
< aggregate_address_1/mask >:
advertise_only: < true | false >
< aggregate_address_2/mask >:
< aggregate_address_3/mask >:
as_set: < true | false >
summary_only: < true | false >
attribute_map: < route_map_name >
match_map: < route_map_name >
advertise_only: < true | false >
address_families:
< address_family >:
bgp:
missing_policy:
direction_in_action: < deny | deny-in-out | permit >
direction_out_action: < deny | deny-in-out | permit >
additional_paths:
- < bgp_additional_paths_command >
- < bgp_additional_paths_command >
neighbors:
< neighbor_ip_address >:
activate: < true | false >
route_map_out: < route_map_name >
route_map_in: < route_map_name >
peer_groups:
< peer_group >:
activate: < true | false >
next_hop:
address_family_ipv6_originate: < true | false >
networks:
< prefix_address >:
route_map: < route_map_name >
# EOS CLI rendered directly on the Router BGP, VRF definition in the final EOS configuration
eos_cli: |
< multiline eos cli >
< vrf_name_2 >:
rd: "<route distinguisher >"
route_targets:
import:
< address_family >:
- "< route_target >"
- "< route_target >"
< address_family >:
- "< route_target >"
- "< route_target >"
export:
< address_family >:
- "< route_target >"
- "< route_target >"
redistribute_routes:
< route_type >:
route_map: < route_map_name >
< route_type >:
route_map: < route_map_name >
Router IGMP Configuration¶
Router OSPF Configuration¶
router_ospf:
process_ids:
< process_id >:
vrf: < vrf_name_for_process_id >
passive_interface_default: < true | false >
router_id: < IPv4_address >
distance:
external: < 1-255 >
inter_area: < 1-255 >
intra_area: < 1-255 >
log_adjacency_changes_detail: < true | false >
network_prefixes:
< IPv4 subnet / netmask >:
area: < area >
< IPv4 subnet / netmask >:
area: < area >
bfd_enable: < true | false >
bfd_adjacency_state_any: < true | false >
no_passive_interfaces:
- < interface_1 >
- < interface_2 >
distribute_list_in:
route_map: < route_map >
max_lsa: < integer >
timers:
lsa:
rx_min_interval: < 0-600000 - Min interval in msecs between accepting the same LSA >
tx_delay:
initial: < 0-600000 - Delay to generate first occurrence of LSA in msecs >
min: < 1-600000 Min delay between originating the same LSA in msecs >
max: < 1-600000 Maximum delay between originating the same LSA in msecs >
spf_delay:
initial: < 0-600000 - Initial SPF schedule delay in msecs >
min: < 0-65535000 Min Hold time between two SPFs in msecs >
max: < 0-65535000 Max wait time between two SPFs in msecs >
default_information_originate:
always: true
summary_addresses:
- prefix: < summary_prefix_01 >
tag: < string >
- prefix: < summary_prefix_02 >
attribute_map: < string >
- prefix: < summary_prefix_03 >
not_advertise: < true >
- prefix: < summary_prefix_04 >
- prefix: < summary_prefix_05 >
redistribute:
static:
route_map: < route_map_name >
connected:
route_map: < route_map_name >
bgp:
route_map: < route_map_name >
auto_cost_reference_bandwidth: < bandwidth in mbps >
areas:
< area >:
filter:
networks:
- < IPv4 subnet / netmask >
- < IPv4 subnet / netmask >
prefix_list: < prefix list name >
< area >:
type: < normal | stub | nssa | default -> normal >
no_summary: < true | false >
nssa_only: < true | false >
default_information_originate:
metric: < Integer 1-65535 > # Value of the route metric
metric_type: < 1 | 2 > # OSPF metric type
maximum_paths: < Integer 1-128 >
max_metric:
router_lsa:
external_lsa:
override_metric: < Integer 1-16777215 >
include_stub: < true | false >
on_startup: < "wait-for-bgp" | Integer 5-86400 >
summary_lsa:
override_metric: < Integer 1-16777215 >
mpls_ldp_sync_default: < true | false >
Router ISIS Configuration¶
router_isis:
instance: < ISIS Instance Name >
net: < CLNS Address to run ISIS | format 49.0001.0001.0000.0001.00 >
router_id: < IPv4_address >
is_type: < level-1 | level-1-2 | level-2 >
log_adjacency_changes: < true | false >
mpls_ldp_sync_default: < true | false >
timers:
local_convergence:
protected_prefixes: < true | false >
delay: < number of milliseconds (Optional, default is 10000) >
advertise:
passive_only: < true | false >
address_family: < List of Address Families >
isis_af_defaults:
- maximum-paths < Integer 1-128 >
redistribute_routes:
- source_protocol: < bgp | connected | isis | ospf | ospfv3 | static >
route_map: < route_map_name >
include_leaked: < true | false >
# ospf_route_type is required with source_protocols 'ospf' and 'ospfv3'
ospf_route_type: < internal | external | nssa-external >
address_family_ipv4:
maximum_paths: < Integer 1-128 >
fast_reroute_ti_lfa:
mode: < link-protection | node-protection >
level: < level-1 | level-2 >
srlg:
enable: < true | false >
strict: < true | false >
tunnel_source_labeled_unicast:
enabled: < true | false >
rcf: < routing_control_function() >
address_family_ipv6:
maximum_paths: < Integer 1-128 >
fast_reroute_ti_lfa:
mode: < link-protection | node-protection >
level: < level-1 | level-2 (Optional, default is to protect all levels) >
srlg:
enable: < true | false >
strict: < true | false >
segment_routing_mpls:
enabled: < true | false >
router_id: < router_id >
prefix_segments:
- prefix: < IPv4_network/Mask | IPv6_network/Mask >
index: < integer >
Router Traffic Engineering¶
router_traffic_engineering:
router_id:
ipv4: < IPv4_address >
ipv6: < IPv6_address >
segment_routing:
colored_tunnel_rib: true
policy_endpoints:
- address: < IPv4_address | IPv6_address >
colors:
- value: < integer >
binding_sid: < integer >
description: < description >
name: < name >
sbfd_remote_discriminator: < IPv4_address | u32 format >
path_group:
- preference: < integer >
explicit_null: < "ipv4" | "ipv6" | "ipv4 ipv6" | "none" >
segment_list:
- label_stack: < integer > < integer > < integer >
weight: < integer >
index: < integer >
- value: < integer >
binding_sid: < integer >
description: < description >
name: < name >
path_group:
- preference: < integer >
explicit_null: < "ipv4" | "ipv6" | "ipv4 ipv6" | "none" >
segment_list:
- label_stack: < integer > < integer > < integer >
weight: < integer >
index: < integer >
Service Routing Configuration BGP¶
Service Routing Protocols Model¶
Static Routes¶
static_routes:
- vrf: < vrf_name, if vrf_name = default the route will be placed in the GRT >
destination_address_prefix: < IPv4_network/Mask >
interface: < interface >
gateway: < IPv4_address >
track_bfd: < boolean >
distance: < 1-255 >
tag: < 0-4294967295 >
name: < description >
metric: < 0-4294967295 >
- destination_address_prefix: < IPv4_network/Mask >
gateway: < IPv4_address >
IPv6 Static Routes¶
ipv6_static_routes:
- vrf: < vrf_name, if vrf_name = default the route will be placed in the GRT >
destination_address_prefix: < IPv6_network/Mask >
interface: < interface >
gateway: < IPv6_address >
track_bfd: < boolean >
distance: < 1-255 >
tag: < 0-4294967295 >
name: < description >
metric: < 0-4294967295 >
- destination_address_prefix: < IPv6_network/Mask >
gateway: < IPv6_address >
VRF Instances¶
vrfs:
< vrf_name >:
description: < description>
ip_routing: < true | false >
ipv6_routing: < true | false >
< vrf_name >:
description: < description>
ip_routing: < true | false >
ipv6_routing: < true | false >
Router L2 VPN¶
router_l2_vpn:
nd_rs_flooding_disabled: < true | false >
virtual_router_nd_ra_flooding_disabled: < true | false >
arp_selective_install: < true | false >
arp_proxy:
prefix_list: < prefix_list_name >
Router MSDP¶
router_msdp:
originator_id_local_interface: < interface >
rejected_limit: < 0-40000 >
forward_register_packets: < true | false >
connection_retry_interval: < 1-65535 >
group_limits:
- limit: < 0-40000 >
source_prefix: < ipv4_prefix/mask >
peers:
- ipv4_address: < ipv4_address >
default_peer:
enabled: < true | false >
prefix_list: < prefix_list_name >
local_interface: < interface >
description: < description >
disabled: < true | false >
sa_limit: < 0-40000 >
mesh_groups:
- name: < mesh_group_name >
keepalive:
keepalive_timer: < 1-65535 >
hold_timer: < 1-65535, must be greater than keepalive_timer >
sa_filter:
in_list: < acl_name >
out_list: < acl_name >
vrfs:
- name: < vrf_name, if vrf_name = default, the configuration will be applied to the global section >
originator_id_local_interface: < interface >
rejected_limit: < 0-40000 >
forward_register_packets: < true | false >
connection_retry_interval: < 1-65535 >
group_limits:
- limit: < 0-40000 >
source_prefix: < ipv4_prefix/mask >
peers:
- ipv4_address: < ipv4_address >
default_peer:
enabled: < true | false >
prefix_list: < prefix_list_name >
local_interface: < interface >
description: < description >
disabled: < true | false >
sa_limit: < 0-40000 >
mesh_groups:
- name: < mesh_group_name >
keepalive:
keepalive_timer: < 1-65535 >
hold_timer: < 1-65535, must be greater than keepalive_timer >
sa_filter:
in_list: < acl_name >
out_list: < acl_name >
Spanning Tree¶
spanning_tree:
root_super: < true | false >
edge_port:
bpdufilter_default: < true | false >
bpduguard_default: < true | false >
mode: < mstp | rstp | rapid-pvst | none >
bpduguard_rate_limit:
default: < true | false >
# Maximum number of BPDUs per timer interval
count: < integer >
rstp_priority: < priority >
mst:
pvst_border: < true | false >
configuration:
name: < name >
revision: < 0-65535 >
instances:
"< instance_id >":
vlans: "< vlan_id >, < vlan_id >-< vlan_id >"
"< instance_id >":
vlans: "< vlan_id >, < vlan_id >-< vlan_id >"
mst_instances:
"< instance_id >":
priority: < priority >
"< instance_id >":
priority: < priority >
no_spanning_tree_vlan: "< vlan_id >, < vlan_id >-< vlan_id >"
rapid_pvst_instances:
"< vlan_id >":
priority: < priority >
"< vlan_id >, < vlan_id >-< vlan_id >":
priority: < priority >
System Boot Settings¶
boot:
# Set the Aboot password
secret:
hash_algorithm: < md5 | sha512 | default -> sha512 >
key: "< hashed_password >"
Terminal Settings¶
Traffic Policies¶
traffic_policies:
options:
counter_per_interface: < true | false >
field_sets:
ipv4:
< PREFIX FIELD SET NAME >:
- < IPv4 prefix 01>
- < IPv4 prefix 02>
- < IPv4 prefix 03>
ipv6:
< PREFIX FIELD SET NAME >:
- < IPv6 prefix 01>
- < IPv6 prefix 02>
- < IPv6 prefix 03>
ports:
< L4 PORT FIELD SET NAME >: "< vlan range >"
policies:
< TRAFFIC POLICY NAME >:
matches:
< TRAFFIC POLICY ITEM >:
type: < ipv4 | ipv6 >
source:
prefixes:
- < prefix 01 >
- < prefix 02 >
prefix_lists:
- < Field Set List 01 >
- < Field Set List 02 >
destination:
prefixes:
- < prefix 01 >
- < prefix 02 >
prefix_lists:
- < Field Set List 01 >
- < Field Set List 02 >
ttl: "< ttl range>"
# The 'fragment' command is not supported when 'source port'
# or 'destination port' command is configured
fragment:
offset: "< fragment offset range >"
protocols:
tcp:
src_port: "< port range >"
dst_port: "< port range >"
src_field: "< L4 port range field set >"
dst_field: "< L4 port range field set >"
flags:
- established
- initial
icmp:
icmp_type:
- < ICMP message type >
- < ICMP message type >
udp:
src_port: "< port range >"
dst_port: "< port range >"
src_field: "< L4 port range field set >"
dst_field: "< L4 port range field set >"
ahp:
bgp:
icmp:
igmp:
ospf:
pim:
rsvp:
vrrp:
# The 'protocol neighbors' subcommand is not supported when any
# other match subcommands are configured
neighbors:
actions:
dscp: < dscp code value >
traffic_class: < traffic class id >
count: < counter name >
drop: < true | false (default false) >
# Only supported when action is set to drop
log: < true | false (default false) >
# Last resort policy
default_actions:
< ipv4 | ipv6 >:
dscp: < dscp code value >
traffic_class: < traffic class id >
count: < counter name >
drop: < true | false (default false) >
# Only supported when action is set to drop
log: < true | false (default false) >
Virtual Source NAT¶
virtual_source_nat_vrfs:
< vrf_name_1 >:
ip_address: < IPv4_address >
< vrf_name_2 >:
ip_address: < IPv4_address >
VLANs¶
vlans:
< vlan_id >:
name: < vlan_name >
state: < active | suspend >
trunk_groups:
- < trunk_group_name_1 >
- < trunk_group_name_2 >
private_vlan:
type: < community | isolated >
primary_vlan: < vlan_id >
< vlan_id >:
name: < vlan_name >
MAC Address-table¶
mac_address_table:
aging_time: < aging_time_in_seconds >
notification_host_flap:
logging: < true | false >
detection:
window: < 2-300 >
moves: < 2-10 >
Upgrade of eos_cli_config_gen data model¶
The AVD major releases can contain breaking changes to the data models.
Data model changes requires a change to the group_vars
and host_vars
. To help identify needed changes and provide a smoother transition, the AVD 3.0 eos_cli_config_gen
role can provide automatic upgrade of the data model for AVD 2.x to 3.0 upgrades.
To leverage this upgrade functionality, the playbook must include tasks_from: upgrade
or tasks_from: upgrade-and-run
for the import_role
of eos_cli_config_gen
. Using upgrade
alone will output the upgraded data files as described below. upgrade-and-run
will also
run the regular eos_cli_config_gen
tasks after upgrading the data model.
The upgraded data will be saved in {{ inventory_dir }}/eos_cli_config_gen_upgrade_2.x_to_3.0
directory.
The user should then replace the old data structures manually in group_vars
and host_vars
files as applicable until no files are created in the upgrade directory when
running the playbook. After all data has been upgraded, the tasks_from: upgrade
can be removed again.
This eos_cli_config_gen
upgrade feature is not required when using eos_designs
. Upgrade should be done on eos_designs
instead.
See README for details on the eos_designs
upgrade feature.
Versioning¶
To support future upgrades the relevant upgrade tasks can be chosen using a new upgrade setting.
Example Playbooks¶
Running upgrade only
---
- hosts: DC1_FABRIC
tasks:
- name: Run AVD eos_cli_config_gen
import_role:
tasks_from: upgrade
name: arista.avd.eos_cli_config_gen
Running upgrade and the regular eos_cli_config_gen
tasks
---
- hosts: DC1_FABRIC
tasks:
- name: Run AVD eos_cli_config_gen
import_role:
tasks_from: upgrade-and-run
name: arista.avd.eos_cli_config_gen
Alternative with separate tasks:
---
- hosts: DC1_FABRIC
tasks:
- name: Upgrade AVD eos_cli_config_gen data model
import_role:
tasks_from: upgrade
name: arista.avd.eos_cli_config_gen
- name: Run AVD eos_cli_config_gen
import_role:
name: arista.avd.eos_cli_config_gen
License¶
Project is published under Apache 2.0 License