cisco.dnac.wired_campus_automation_workflow_manager module – Manage wired campus automation operations in Cisco Catalyst Center
Note
This module is part of the cisco.dnac collection (version 6.42.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install cisco.dnac.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: cisco.dnac.wired_campus_automation_workflow_manager.
New in cisco.dnac 6.20.0
Synopsis
BETA MODULE, CISCO INTERNAL USE ONLY
This module is currently in beta and is intended for Cisco internal purposes only.
It is not available for customer consumption and should not be used in production environments.
This module provides comprehensive management of Layer 2 wired network configurations in
Cisco Catalyst Center.
Configure VLANs, STP, CDP, LLDP, VTP, DHCP Snooping, IGMP/MLD Snooping, authentication,
port channels, and interface settings.
Supports both creation and updating of configurations on network devices.
Provides automated deployment of intended configurations to devices.
Includes comprehensive validation of all configuration parameters before applying changes.
Feature Support Matrix
VLANs- create, update, deleteCDP- create, update, deleteLLDP- create, update, deleteSTP- create, update (delete not supported due to API limitations)VTP- create, update, deleteDHCP Snooping- create, update, deleteIGMP Snooping- create, update (delete not supported due to API limitations)MLD Snooping- create, update (delete not supported due to API limitations)Authentication- create, update, deleteLogical Ports- create, update (delete not supported due to API limitations)Port Configuration- create, update (delete not supported due to API limitations)Known API Limitations & Issues
The deleted state is not supported for STP, IGMP Snooping, MLD Snooping, Port Configuration, and Logical Ports due to underlying beta API limitations.
Several known issues exist with the beta APIs that may affect functionality.
VLANs (vlanConfig) -
VLAN configuration may silently fail when VTP mode is SERVER (CSCwr00884)
VLAN name cannot be reset to empty string once set
STP (stpGlobalConfig) -
STP instance deletion does not properly remove deployed configuration (CSCwr01764)
Incorrect payload structure validation for isStpEnabled parameter (CSCwr0107)
VTP (vtpGlobalConfig) -
Domain name cannot be removed once set (expected behavior)
Configuration file name and source interface cannot be reset to empty string (CSCwr01195)
Misleading validation error when attempting to remove VTP domain name (CSCwr01131)
DHCP Snooping (dhcpSnoopingGlobalConfig) -
Global configuration not fully reset to defaults after intent deletion (CSCwr01309)
Agent URL, proxy bridge VLANs, and snooping VLANs cannot be reset using empty strings (CSCwr01255, CSCwr01321, CSCwr01327)
IGMP/MLD Snooping (igmpSnoopingGlobalConfig, mldSnoopingGlobalConfig) -
Querier address does not reset to default on intent deletion (CSCwr01879)
MLD snooping rejects empty querier address in update operations (CSCwr06296)
Logical Ports (portchannelConfig) -
Port channel configuration may fail silently without proper error response (CSCwr01895)
Optional fields incorrectly enforced as required during validation (CSCwr08060)
Port Configuration (switchportInterfaceConfig) -
Switchport configuration may silently fail during comprehensive port updates
Storm Control, Port Security, and UDLD interface configurations are not supported (available in 3.2.x release)
Requirements
The below requirements are needed on the host that executes this module.
dnacentersdk >= 2.10.1
python >= 3.9
Parameters
Parameter |
Comments |
|---|---|
List of wired campus automation configurations to be applied to network devices. |
|
Controls whether to verify the device’s collection status before applying configurations. When true, ensures the device is in “Managed” or “In Progress” state before proceeding. When false, skips the collection status check (useful for devices being onboarded). Recommended to keep as true for production environments. Choices:
|
|
The hostname of the network device to configure. Used when IP address is not available or preferred. Must match the hostname registered in Catalyst Center. Either “ip_address” or “hostname” must be provided to identify the device. |
|
The management IP address of the network device to configure. Must be a valid IPv4 address format. Either “ip_address” or “hostname” must be provided to identify the device. If both are provided, ip_address takes precedence. Example - “192.168.1.1” |
|
Comprehensive Layer 2 configuration settings for the network device. Contains all supported Layer 2 protocols and features. Each feature is optional and can be configured independently. |
|
IEEE 802.1X authentication configuration settings. Provides port-based network access control for enhanced security. Authenticates devices before granting network access. Foundation for Identity-Based Networking Services (IBNS). |
|
Authentication configuration mode (legacy vs. new style).
NEW_STYLE is recommended for modern authentication deployments. Affects how authentication policies are configured and applied. Once the authentication configuration mode is set, it cannot be changed. Choices:
|
|
Globally enable or disable 802.1X authentication. When true, enables 802.1X authentication globally. When false, disables 802.1X authentication on all ports. Must be enabled before configuring per-port authentication. Equivalent to “dot1x system-auth-control” command. Choices:
|
|
Cisco Discovery Protocol (CDP) global configuration settings. CDP is a Cisco proprietary protocol for discovering neighboring Cisco devices. Runs over Layer 2 and provides device information like platform, capabilities, and addresses. Useful for network topology discovery and troubleshooting. |
|
Globally enable or disable CDP on the device. When true, CDP is enabled globally (equivalent to “cdp run” command). When false, CDP is disabled globally on all interfaces. Individual interfaces can still override this setting. Choices:
|
|
Enable CDP version 2 advertisements. When true, sends CDP version 2 advertisements (default and recommended). When false, sends CDP version 1 advertisements (legacy compatibility). Version 2 provides additional information and error detection. Equivalent to “cdp advertise-v2” command. Choices:
|
|
Time in seconds that receiving devices should hold CDP information before discarding it. Must be between 10 and 255 seconds. Should be set higher than the timer interval to prevent information loss. Typical values are 180 seconds (3 times the default timer). Equivalent to “cdp holdtime” command. Default: |
|
Enable logging of duplex mismatches detected by CDP. When true, logs warnings when CDP detects duplex mismatches with neighbors. When false, duplex mismatch detection is disabled. Useful for identifying and troubleshooting duplex configuration issues. Equivalent to “cdp log mismatch duplex” command. Choices:
|
|
Frequency in seconds at which CDP advertisements are sent. Must be between 5 and 254 seconds. Lower values provide more current information but increase network overhead. Higher values reduce overhead but may delay topology discovery. Equivalent to “cdp timer” command. Default: |
|
DHCP Snooping configuration for securing DHCP operations. Prevents rogue DHCP servers and protects against DHCP-based attacks. Maintains a binding table of legitimate DHCP assignments. Foundation for other security features like IP Source Guard. |
|
Globally enable or disable DHCP Snooping on the device. When true, enables DHCP Snooping globally. When false, disables DHCP Snooping on all VLANs. Must be enabled before configuring per-VLAN or per-interface settings. Equivalent to “ip dhcp snooping” command. Choices:
|
|
URL for storing DHCP Snooping binding database remotely. Supports TFTP, FTP, and other file transfer protocols. Provides persistence of bindings across switch reboots. Minimum 5 characters, maximum 227 characters. Format for the URL - “protocol://server_ip/filename” The URL must start with one of the following protocol prefixes (“bootflash:”, “crashinfo:”, “flash:”, “ftp:”, “http:”, “https:” “rcp:”, “scp:”, “sftp:”, “tftp:”) Examples of valid URLs tftp URL - “tftp://192.168.1.100/dhcp_bindings.db”, ftp URL - “ftp://server.example.com/backups/dhcp_bindings.db”, flash URL - “flash:dhcp_bindings.db”, bootflash URL - “bootflash:dhcp_bindings.db” |
|
Timeout in seconds for database operations. Must be between 0 and 86400 seconds (24 hours). Time to wait for database read/write operations to complete. 0 means no timeout (wait indefinitely). Should be set based on network latency and server performance. Default: |
|
Delay in seconds between database write operations. Must be between 15 and 86400 seconds. Batches multiple binding changes to reduce I/O overhead. Lower values provide more current data but increase overhead. Should balance between data currency and performance. Default: |
|
Enable DHCP gleaning for learning bindings from DHCP traffic. When true, learns DHCP bindings by monitoring DHCP acknowledgments. Useful for populating the binding table in existing networks. Should be used temporarily during initial deployment. Equivalent to “ip dhcp snooping glean” command. Choices:
|
|
List of VLAN IDs to enable in bridge mode for DHCP relay. Each VLAN ID must be between 1 and 4094. Enables DHCP relay functionality in bridge mode. Useful for environments with DHCP servers on different subnets. Works in conjunction with DHCP relay configuration. All VLANs specified here must also be included in “dhcp_snooping_vlans” list. |
|
List of VLAN IDs where DHCP Snooping should be enabled. Each VLAN ID must be between 1 and 4094. Only VLANs in this list will have DHCP packets inspected. VLANs not in the list will forward DHCP packets normally. Can be configured as individual VLANs or ranges. All VLANs specified in “dhcp_snooping_proxy_bridge_vlans” must also be included in this list. |
|
Internet Group Management Protocol (IGMP) Snooping configuration. Optimizes multicast traffic delivery in Layer 2 networks. Prevents unnecessary multicast flooding by learning group memberships. Essential for efficient multicast application delivery. |
|
Globally enable or disable IGMP Snooping. When true, enables IGMP Snooping globally on the switch. When false, disables IGMP Snooping and floods all multicast traffic. When disabling IGMP snooping globally, first disable IGMP snooping on all VLANs where it is currently enabled Enabled by default on most modern switches. Equivalent to “ip igmp snooping” command. Choices:
|
|
Enable IGMP Querier functionality globally. When true, the switch can act as an IGMP querier. When false, relies on external queriers (routers). Required when no multicast router is present in the VLAN. Equivalent to “ip igmp snooping querier” command. Choices:
|
|
Source IP address for IGMP query messages. Must be a valid IPv4 or IPv6 address. Used when the switch acts as an IGMP querier. Should be an address reachable by all multicast receivers. Helps identify the querier in network troubleshooting. |
|
Interval in seconds between IGMP general query messages. Must be between 1 and 18000 seconds. Lower values provide faster detection of membership changes. Higher values reduce network overhead but slow detection. Should be coordinated with receiver timeout settings. Default: |
|
IGMP version for query messages.
Choose based on receiver capabilities and application requirements. Choices:
|
|
List of per-VLAN IGMP Snooping configurations. Allows customization of IGMP Snooping parameters per VLAN. Each VLAN can have different querier settings and mrouter ports. Useful for optimizing multicast delivery per network segment. |
|
Enable IGMP Snooping for this specific VLAN. When true, IGMP Snooping is active for this VLAN. When false, multicast traffic is flooded in this VLAN. Overrides the global IGMP Snooping setting for this VLAN. Choices:
|
|
Enable immediate leave processing for IGMP in this VLAN. When true, immediately removes port from multicast group upon leave message. When false, waits for query timeout before removing port from group. Use with caution in shared media environments where multiple devices may be on same port. Provides faster leave processing for point-to-point links and single device connections. Equivalent to “ip igmp snooping immediate-leave” command per VLAN. Choices:
|
|
List of interface names that connect to multicast routers. Interfaces in this list are treated as mrouter ports. Multicast traffic is always forwarded to these ports. Format interface type and number (Example, “GigabitEthernet1/0/1”). Essential for proper multicast routing integration. |
|
Enable IGMP Querier for this specific VLAN. When true, this VLAN can have its own querier. When false, relies on external queriers for this VLAN. Useful when different VLANs have different querier requirements. If any VLAN in “igmp_snooping_vlans” has “igmp_snooping_querier” set to true, this must also be true. Choices:
|
|
Source IP address for IGMP queries in this VLAN. Must be a valid IPv4 or IPv6 address. Should be an address within the VLAN’s subnet. Used for VLAN-specific querier identification. |
|
Query interval for this specific VLAN in seconds. Must be between 1 and 18000 seconds. Can be optimized based on VLAN’s multicast traffic patterns. Lower intervals for VLANs with dynamic memberships. |
|
IGMP version for this VLAN’s query messages.
Can be different from the global IGMP version. Choose based on VLAN-specific application requirements. Choices:
|
|
VLAN ID for this IGMP Snooping configuration. Must be between 1 and 4094. VLAN must exist before configuring IGMP Snooping. Each VLAN can have independent IGMP Snooping settings. |
|
Link Layer Discovery Protocol (LLDP) global configuration settings. LLDP is an IEEE 802.1AB standard protocol for discovering neighboring devices. Vendor-neutral alternative to CDP, supported by multiple vendors. Provides device identification, capabilities, and management information. |
|
Globally enable or disable LLDP on the device. When true, LLDP is enabled globally (equivalent to “lldp run” command). When false, LLDP is disabled globally on all interfaces. Individual interfaces can still override this setting. Choices:
|
|
Time in seconds that receiving devices should hold LLDP information before discarding it. Must be between 0 and 32767 seconds. Should be set higher than the timer interval to prevent information loss. A value of 0 means the information should not be aged out. Equivalent to “lldp holdtime” command. Default: |
|
Delay in seconds for LLDP initialization on any interface. Must be between 2 and 5 seconds. Prevents rapid enable/disable cycles during interface initialization. Provides stability during interface state changes. Equivalent to “lldp reinit” command. Default: |
|
Frequency in seconds at which LLDP advertisements are sent. Must be between 5 and 32767 seconds. Lower values provide more current information but increase network overhead. Higher values reduce overhead but may delay topology discovery. Equivalent to “lldp timer” command. Default: |
|
Port channel (EtherChannel) configuration for link aggregation. Combines multiple physical links into a single logical interface. Provides increased bandwidth and redundancy for critical connections. Supports LACP, PAgP, and static (manual) aggregation methods. |
|
Enable automatic port channel creation (Auto-LAG). When true, enables automatic detection and creation of port channels. When false, requires manual port channel configuration. Auto-LAG can simplify configuration but may not suit all environments. Equivalent to “port-channel auto” command. Choices:
|
|
System priority for LACP protocol negotiation. Must be between 0 and 65535. Lower values have higher priority in LACP negotiations. Used to determine which switch controls the port channel. Should be consistent across switches for predictable behavior. Default: |
|
Method for distributing traffic across port channel members. Based on MAC addresses - “SRC_MAC”, “DST_MAC”, “SRC_DST_MAC”. Based on IP addresses - “SRC_IP”, “DST_IP”, “SRC_DST_IP”. Based on TCP/UDP ports - “RC_PORT”, “DST_PORT”, “SRC_DST_PORT”. VLAN-based load balancing methods - “VLAN_SRC_IP”, “VLAN_DST_IP”, “VLAN_SRC_DST_IP”, “VLAN_SRC_MIXED_IP_PORT”, “VLAN_DST_MIXED_IP_PORT”, “VLAN_SRC_DST_MIXED_IP_PORT”. VLAN-based load balancing methods for port channels are only supported on Cisco Catalyst 9600 Series Switches. Choose based on traffic patterns and load balancing requirements. Mixed options combine multiple criteria for better distribution. Choices:
|
|
List of port channel configurations to create. Each port channel aggregates multiple physical interfaces. Supports different protocols (LACP, PAgP, static). Each port channel has unique members and configuration. Port channels can only be configured when “port_channel_auto” is false. |
|
List of physical interfaces that belong to this port channel. All member interfaces must have compatible configuration. Includes interface names and protocol-specific parameters. Member configuration varies based on the chosen protocol. |
|
Name of the physical interface to add to the port channel. Must be a valid interface on the switch. Format interface type and number (Example, “GigabitEthernet1/0/1”). Interface must not be a member of another port channel. Interface configuration must be compatible with other members. |
|
Learning method for PAgP protocol (PAgP only).
Affects MAC address learning and forwarding behavior. Only applicable when using PAgP protocol. Choices:
|
|
Port channel mode for this member interface. For “LACP” protocol
For “PAgP” protocol
For “NONE” protocol
Choose based on desired negotiation behavior and protocol. Choices:
|
|
Priority for this interface in port channel selection. For “LACP” protocol - 0-65535 (lower values have higher priority). For “PAgP” protocol - 0-255 (lower values have higher priority). Used when more interfaces are available than can be active. Helps determine which interfaces carry traffic in standby scenarios. |
|
LACP packet transmission rate (LACP protocol only).
Fast rate provides quicker failure detection but increases overhead. Only applicable when using LACP protocol. Choices:
|
|
Minimum number of active links required for port channel to be operational. Must be between 2 and 8. Port channel goes down if active links fall below this threshold. Provides guaranteed bandwidth and redundancy requirements. Should be set based on application bandwidth and availability needs. Default: |
|
Name identifier for the port channel interface. Must be between 13 and 15 characters. Format typically follows “Port-channelX” where X is the number. Must be unique within the switch configuration. Used in interface configuration and monitoring. |
|
Protocol to use for this port channel.
LACP provides better standards compliance and interoperability. Choices:
|
|
Multicast Listener Discovery (MLD) Snooping configuration for IPv6. IPv6 equivalent of IGMP Snooping for optimizing IPv6 multicast traffic. Prevents unnecessary IPv6 multicast flooding in Layer 2 networks. Essential for efficient IPv6 multicast application delivery. |
|
Globally enable or disable MLD Snooping. When true, enables MLD Snooping globally on the switch. When false, disables MLD Snooping and floods all IPv6 multicast traffic. Disabled by default on most switches. Equivalent to “ipv6 mld snooping” command. Choices:
|
|
Enable listener message suppression for MLD. When true, suppresses duplicate listener reports to reduce overhead. When false, forwards all listener reports to queriers. Helps optimize bandwidth usage in dense IPv6 multicast environments. Equivalent to “ipv6 mld snooping listener-message-suppression” command. Choices:
|
|
Enable MLD Querier functionality globally. When true, the switch can act as an MLD querier. When false, relies on external queriers (IPv6 routers). Required when no IPv6 multicast router is present in the VLAN. Equivalent to “ipv6 mld snooping querier” command. Choices:
|
|
Source IPv6 address for MLD query messages. Querier Address must be a valid IPv6 Link-Local address. Used when the switch acts as an MLD querier. Should be an address reachable by all IPv6 multicast listeners. Helps identify the querier in network troubleshooting. |
|
Interval in seconds between MLD general query messages. Must be between 1 and 18000 seconds. Lower values provide faster detection of IPv6 membership changes. Higher values reduce network overhead but slow detection. Should be coordinated with IPv6 receiver timeout settings. Default: |
|
MLD version for query messages.
Choose based on IPv6 application requirements and receiver capabilities. VERSION_2” is recommended for modern IPv6 networks. Choices:
|
|
List of per-VLAN MLD Snooping configurations. Allows customization of MLD Snooping parameters per VLAN. Each VLAN can have different querier settings and mrouter ports. Useful for optimizing IPv6 multicast delivery per network segment. |
|
Enable MLD Snooping for this specific VLAN. When true, MLD Snooping is active for this VLAN. When false, IPv6 multicast traffic is flooded in this VLAN. Overrides the global MLD Snooping setting for this VLAN. Choices:
|
|
Enable immediate leave processing for MLDv1 in this VLAN. When true, immediately removes port from multicast group upon leave. When false, waits for query timeout before removing port. Use with caution in shared media environments. Provides faster leave processing for point-to-point links. Choices:
|
|
List of interface names that connect to IPv6 multicast routers. Interfaces in this list are treated as IPv6 mrouter ports. IPv6 multicast traffic is always forwarded to these ports. Format interface type and number (Example, “GigabitEthernet1/0/1”). Essential for proper IPv6 multicast routing integration. |
|
Enable MLD Querier for this specific VLAN. When true, this VLAN can have its own MLD querier. When false, relies on external queriers for this VLAN. Useful when different VLANs have different querier requirements. Choices:
|
|
Source IPv6 address for MLD queries in this VLAN. Must be a valid IPv6 address format. Should be an address within the VLAN’s IPv6 prefix. Used for VLAN-specific querier identification. |
|
Query interval for this specific VLAN in seconds. Must be between 1 and 18000 seconds. Can be optimized based on VLAN’s IPv6 multicast traffic patterns. Lower intervals for VLANs with dynamic IPv6 memberships. |
|
MLD version for this VLAN’s query messages.
Can be different from the global MLD version. Choose based on VLAN-specific IPv6 application requirements. Choices:
|
|
VLAN ID for this MLD Snooping configuration. Must be between 1 and 4094. VLAN must exist before configuring MLD Snooping. Each VLAN can have independent MLD Snooping settings. |
|
Individual interface configuration settings for all port types. Allows per-interface customization of Layer 2 features. Each interface can have unique switchport, security, and protocol settings. Essential for fine-grained network access control and optimization. NOTE - configure switchport_interface_config FIRST before other interface features |
|
Cisco Discovery Protocol (CDP) interface configuration for this specific interface. Controls CDP operation on individual interfaces independent of global settings. Allows per-interface customization of CDP behavior and logging. Useful for selectively enabling/disabling CDP on specific ports. |
|
Enable or disable CDP on this specific interface. When true, CDP is enabled on this interface (sends and receives CDP packets). When false, CDP is disabled on this interface. Overrides the global CDP setting for this specific interface. Recommended to disable on interfaces connecting to untrusted devices. Choices:
|
|
Enable logging of duplex mismatches detected by CDP on this interface. When true, logs warnings when CDP detects duplex mismatches with the neighbor. When false, duplex mismatch detection logging is disabled for this interface. Useful for troubleshooting connectivity issues and performance problems. Helps identify configuration inconsistencies between connected devices. Choices:
|
|
DHCP Snooping interface configuration for this specific interface. Controls DHCP security features and trust settings per interface. Provides granular control over DHCP packet processing on individual ports. Essential for securing DHCP operations against rogue servers and attacks. |
|
Maximum rate of DHCP packets per second allowed on this interface. Must be between 1 and 2048 packets per second. Helps prevent DHCP flooding attacks by rate-limiting DHCP traffic. Higher rates may be needed for interfaces connecting to DHCP servers. Lower rates are typically sufficient for client access ports. Default: |
|
Configure this interface as trusted for DHCP operations. When true, interface is trusted and DHCP packets are forwarded without inspection. When false, interface is untrusted and DHCP packets are inspected and filtered. Trusted interfaces typically connect to legitimate DHCP servers or uplinks. Untrusted interfaces typically connect to end devices that should not offer DHCP. Choices:
|
|
802.1X authentication configuration for the interface. Configures authentication settings, timers, and behavior for network access control. |
|
Sets the 802.1X authentication mode for the interface.
Determines how the interface handles authentication requests. Choices:
|
|
Authentication method order for the interface.
Defines the sequence in which authentication methods are tried. Methods are attempted in the order specified in the list. Choices:
|
|
Control direction for 802.1X authentication on the interface. When set to When set to Specifies which traffic direction is controlled by authentication. Choices:
|
|
Enable receiving inactivity timer value from RADIUS server. When enabled, uses server-provided inactivity timeout values. Choices:
|
|
Enable periodic re-authentication for 802.1X on the interface. When enabled, authenticated clients are re-authenticated periodically. Choices:
|
|
Enable receiving re-authentication timer value from RADIUS server. When enabled, uses server-provided re-authentication timeout values. Choices:
|
|
Host mode for 802.1X authentication on the interface.
Determines how many hosts can authenticate on a single port. Choices:
|
|
Inactivity timer value in seconds for 802.1X authentication. Time after which an inactive authenticated session is terminated. Valid range is 1-65535 seconds. |
|
Maximum number of re-authentication requests sent to a client. After this limit, the client is considered unreachable. Valid range is 1-10 requests. |
|
Port Access Entity (PAE) type for 802.1X authentication.
Defines the role of the interface in the authentication process. Choices:
|
|
Port control mode for 802.1X authentication.
Determines the initial authorization state of the port. Choices:
|
|
Authentication priority list for the interface. Defines priority order for authentication methods when multiple are configured. |
|
Re-authentication timer value in seconds for 802.1X authentication. Time interval between periodic re-authentication attempts. Valid range is 1-65535 seconds. |
|
Transmission period for EAP Request/Identity frames. Time interval between successive EAP Request/Identity transmissions. Valid range is 1-65535 seconds. |
|
Name of the interface to configure. Must be a valid interface identifier on the target switch. Format interface type and number (Example, “GigabitEthernet1/0/1”). Interface must exist on the device and be configurable. Used as the key to identify which interface to configure. |
|
Link Layer Discovery Protocol (LLDP) interface configuration for this specific interface. Controls LLDP packet transmission and reception behavior per interface. Provides granular control over LLDP operation on individual ports. Allows optimization of LLDP behavior based on interface usage. |
|
Configure LLDP transmission and reception behavior for this interface.
Choose based on security requirements and interface role in the network. Choices:
|
|
MAC Authentication Bypass (MAB) configuration for this interface. Provides authentication for devices that don’t support 802.1X. Uses device MAC address as the authentication credential. Common for printers, cameras, and legacy devices. |
|
Enable MAC Authentication Bypass on this interface. When true, allows authentication using device MAC address. When false, disables MAB authentication method. Useful for devices that cannot perform 802.1X authentication. Often used in combination with 802.1X authentication. Choices:
|
|
Spanning Tree Protocol configuration for this specific interface. Controls STP behavior, timers, and protection features per port. Allows fine-tuning of STP operation for different interface types. Essential for optimizing convergence and preventing loops. |
|
BPDU Filter configuration for this interface. When true, prevents sending and receiving BPDUs on PortFast ports. When false, allows normal BPDU processing. Use with caution as it can create loops if misconfigured. Typically used on ports connected to end devices. Choices:
|
|
BPDU Guard configuration for this interface. When true, shuts down PortFast ports that receive BPDUs. When false, disables BPDU Guard protection. Protects against accidental switch connections to access ports. Essential security feature for edge port protection. Choices:
|
|
Path cost for this interface in STP calculations. Must be between 1 and 20000000. Lower costs are preferred paths in STP topology. Allows manual control of STP path selection. Should reflect actual link bandwidth and desired traffic flow. |
|
Guard mode configuration for this interface
Choose based on interface role and protection requirements. Choices:
|
|
Per-VLAN cost configuration for this interface. Allows different costs for different VLANs on the same interface. Enables per-VLAN load balancing in PVST plus environments. Useful for optimizing traffic flow across VLANs. |
|
Cost value to apply to the specified VLANs. Must be between 1 and 20000000. Lower costs make this path preferred for the specified VLANs. Should be coordinated with overall STP design. |
|
List of VLAN IDs to apply this cost setting to. Each VLAN ID must be between 1 and 4094. Allows grouping VLANs with the same cost requirements. VLANs must exist before applying cost settings. |
|
Per-VLAN priority configuration for this interface. Allows different priorities for different VLANs on the same interface. Enables per-VLAN load balancing and traffic engineering. Useful for optimizing port selection across VLANs. |
|
Priority value to apply to the specified VLANs. Must be between 0 and 240 in increments of 16. Lower values have higher priority for forwarding state. Should be coordinated with overall STP design. |
|
List of VLAN IDs to apply this priority setting to. Each VLAN ID must be between 1 and 4094. Allows grouping VLANs with the same priority requirements. VLANs must exist before applying priority settings. |
|
PortFast mode configuration for this interface.
Advanced portfast modes (EDGE_TRUNK, NETWORK, TRUNK) are only supported on Catalyst 9600 Series switches and specific Catalyst 9500 Series models (C9500-32C, C9500-32QC, C9500-48Y4C, C9500-24Y4C, C9500X-28C8D). Choices:
|
|
Port priority for this interface in STP tie-breaking. Must be between 0 and 240 in increments of 16. Lower values have higher priority for forwarding state. Used when multiple ports have equal cost to root bridge. Helps control which ports forward traffic in redundant topologies. Default: |
|
Basic switchport configuration for Layer 2 operation. Defines interface mode, VLAN assignments, and administrative settings. Essential for connecting end devices and configuring trunk links. Forms the foundation of Layer 2 connectivity. |
|
VLAN ID for untagged traffic when interface is in access mode. Must be between 1 and 4094. Only applicable when switchport_mode is “ACCESS”. VLAN must exist before assigning to interface. Defines which VLAN untagged traffic will be placed in. Default: |
|
Administrative status of the interface. When true, interface is administratively enabled (no shutdown). When false, interface is administratively disabled (shutdown). Disabled interfaces do not pass traffic but retain configuration. Used for maintenance and security purposes. Choices:
|
|
List of VLAN IDs allowed on trunk interfaces. Each VLAN ID must be between 1 and 4094. Only applicable when switchport_mode is TRUNK. Controls which VLANs can traverse the trunk link. Helps optimize bandwidth and enhance security. |
|
Native VLAN ID for trunk interfaces (untagged traffic). Must be between 1 and 4094. Only applicable when switchport_mode is TRUNK. Defines which VLAN untagged traffic belongs to on trunk. Should be changed from default (VLAN 1) for security. Default: |
|
Descriptive text for interface documentation and identification. Maximum 230 characters of descriptive text. Should follow organizational naming conventions. Useful for documentation, monitoring, and troubleshooting. Cannot include non-ASCII characters. |
|
Switchport operational mode.
Choices:
|
|
VLAN ID for IP phone traffic on access ports. Must be between 1 and 4094. Allows IP phones to use a separate VLAN for voice traffic. Enables QoS prioritization and security separation for voice. Only applicable on access ports with connected IP phones. |
|
VLAN trunking specific configuration for trunk interfaces. Controls DTP negotiation, protection, and VLAN pruning. Optimizes trunk operation and enhances security. |
|
Dynamic Trunking Protocol (DTP) negotiation setting. Controls whether the interface participates in DTP negotiation. When enabled, interface can negotiate trunking with neighbor. When disabled, prevents DTP packet transmission (recommended for security). Disable DTP when connecting to non-Cisco devices or for security. DTP negotiation control REQUIRES “switchport_mode” to be “TRUNK” (not “DYNAMIC”) Choices:
|
|
Enable protected port functionality. When true, prevents traffic between protected ports at Layer 2. Traffic between protected ports must traverse a Layer 3 device. Useful for isolating ports within the same VLAN. Enhances security in shared network environments. Choices:
|
|
List of VLAN IDs eligible for VTP pruning on this trunk. Each VLAN ID must be between 1 and 4094. Controls which VLANs can be pruned from this trunk. Helps optimize bandwidth by removing unnecessary VLAN traffic. Works in conjunction with global VTP pruning settings. |
|
VLAN Trunking Protocol (VTP) interface configuration for this specific interface. Controls VTP advertisement processing on individual interfaces. Allows per-interface control of VTP participation. Useful for securing VTP domains and preventing unauthorized updates. |
|
Enable or disable VTP on this specific interface. When true, VTP advertisements are processed on this interface. When false, VTP advertisements are blocked on this interface. Helps prevent VTP updates from untrusted sources. Recommended to disable on interfaces connecting to untrusted switches. Choices:
|
|
Spanning Tree Protocol (STP) global and per-VLAN configuration settings. STP prevents loops in redundant network topologies while providing path redundancy. Supports PVST+, RSTP, and MST modes for different network requirements. Critical for network stability in environments with redundant paths. |
|
Enable BackboneFast for faster convergence on indirect link failures. When true, enables BackboneFast to detect indirect failures quickly. Reduces convergence time from 50 seconds to 30 seconds for indirect failures. Works in conjunction with UplinkFast for optimal convergence. Equivalent to “spanning-tree backbonefast” command. Choices:
|
|
Global BPDU Filter configuration for PortFast-enabled ports. When true, prevents sending and receiving BPDUs on PortFast ports. Should be used with caution as it can create loops if misconfigured. Typically used in environments where STP is not needed on edge ports. Equivalent to “spanning-tree portfast bpdufilter default” command. Choices:
|
|
Global BPDU Guard configuration for PortFast-enabled ports. When true, shuts down PortFast ports that receive BPDUs. Protects against accidental switch connections to access ports. Essential security feature for edge port protection. Equivalent to “spanning-tree portfast bpduguard default” command. Choices:
|
|
Enable EtherChannel Guard to detect EtherChannel misconfigurations. When true, detects when one side has EtherChannel configured but the other doesn’t. Prevents loops and inconsistencies in EtherChannel configurations. Essential for maintaining EtherChannel integrity. Equivalent to “spanning-tree etherchannel guard misconfig” command. Choices:
|
|
Enable extended system ID for bridge priority calculation. When true, uses VLAN ID as part of bridge ID calculation. Required for PVST plus operation with more than 64 VLANs. Changes bridge priority calculation to include VLAN ID. Equivalent to “spanning-tree extend system-id” command. Choices:
|
|
List of per-VLAN STP instance configurations. Allows customization of STP parameters for specific VLANs. Each instance can have different priorities and timers. Useful for load balancing and fine-tuning STP behavior. |
|
Enable or disable STP for this specific VLAN. When true, STP is active for this VLAN. When false, STP is disabled for this VLAN (use with caution). Disabling STP can create loops if redundant paths exist. Choices:
|
|
Forward delay timer for this STP instance in seconds. Must be between 4 and 30 seconds. Time spent in listening and learning states during convergence. Should be coordinated with max age and hello interval. Affects convergence time, shorter delays mean faster convergence. Default: |
|
Hello interval timer for this STP instance in seconds. Must be between 1 and 10 seconds. Frequency of BPDU transmission by the root bridge. Lower values provide faster detection but increase overhead. Should be coordinated with max age and forward delay. Default: |
|
Maximum age timer for this STP instance in seconds. Must be between 6 and 40 seconds. Time to wait for BPDUs before aging out port information. Should be coordinated with hello interval and forward delay. Affects convergence time and stability. Default: |
|
Bridge priority for this VLAN’s STP instance. Must be between 0 and 61440 in increments of 4096. Lower values have higher priority (more likely to be root). Default is 32768. Common values 4096, 8192, 16384, 24576. Used for load balancing across multiple VLANs. Default: |
|
VLAN ID for this STP instance configuration. Must be between 1 and 4094. Each VLAN can have its own STP parameters. VLAN must exist before STP instance configuration. |
|
Enable STP event logging for troubleshooting. When true, logs STP state changes and events. Useful for monitoring STP behavior and troubleshooting issues. May increase log verbosity in environments with frequent topology changes. Equivalent to “spanning-tree logging” command. Choices:
|
|
Global Loop Guard configuration to prevent loops from unidirectional failures. When true, prevents alternate/root ports from becoming designated ports. Protects against loops caused by unidirectional link failures. Complements UDLD for comprehensive loop prevention. Equivalent to “spanning-tree loopguard default” command. Choices:
|
|
Spanning Tree Protocol mode to operate in.
Choose based on network size, convergence requirements, and vendor compatibility. Choices:
|
|
Global PortFast mode configuration for edge ports.
PortFast bypasses listening and learning states for faster convergence. Advanced portfast modes (EDGE, NETWORK, TRUNK) are only supported on Catalyst 9600 Series and specific Catalyst 9500 Series models (C9500-32C, C9500-32QC, C9500-48Y4C, C9500-24Y4C, C9500X-28C8D). Choices:
|
|
Maximum number of BPDUs sent per hello interval. Must be between 1 and 20. Controls BPDU transmission rate to prevent overwhelming neighbors. Higher values allow more BPDUs but may impact performance. Equivalent to “spanning-tree transmit hold-count” command. Default: |
|
Enable UplinkFast for faster convergence on direct link failures. When true, enables UplinkFast for access layer switches. Provides sub-second convergence for direct uplink failures. Should only be enabled on access layer switches, not distribution/core. Equivalent to “spanning-tree uplinkfast” command. Choices:
|
|
Maximum rate of update packets sent when UplinkFast is enabled. Must be between 0 and 32000 packets per second. Controls the rate of multicast packets sent during convergence. Higher rates provide faster convergence but may impact performance. Only applicable when UplinkFast is enabled. Default: |
|
List of VLAN configurations to create or modify on the device. VLANs are fundamental building blocks for network segmentation. Each VLAN must have a unique ID within the valid range (1-4094). Default VLANs (1, 1002-1005) are typically pre-configured and should not be modified. |
|
Administrative status of the VLAN (enabled or disabled). When true, the VLAN is active and can carry traffic. When false, the VLAN is administratively shut down. Disabled VLANs do not forward traffic but retain their configuration. NOTE - “vlan_admin_status” Can only be modified for VLAN IDs 2-1001. Extended range VLANs (1002-4094) do not support admin status updates. Choices:
|
|
Unique identifier for the VLAN. Must be within the valid range of 1 to 4094. VLAN 1 is the default VLAN and exists on all switches. VLANs 1002-1005 are reserved for legacy protocols. Extended VLANs (1006-4094) may require VTP version 3. |
|
Descriptive name for the VLAN to aid in identification and management. Maximum length depends on VTP version (32 chars for v1/v2, 128 chars for v3). Should be descriptive and follow organizational naming conventions. If not specified, defaults to “VLAN” followed by the VLAN ID with leading zeros. Must contain only ASCII characters (0-127) as per Catalyst Center API requirements. Cannot contain whitespace characters (spaces, tabs, newlines) or question marks (?). Use underscores (_) or hyphens (-) instead of spaces for better compatibility. Empty strings are not allowed and will cause API validation errors. Examples - “SALES_VLAN”, “IOT_DEVICES”, “GUEST_NETWORK” |
|
VLAN Trunking Protocol (VTP) configuration settings. VTP synchronizes VLAN configuration across switches in a domain. Enables centralized VLAN management for large switched networks. Requires careful planning to avoid accidental VLAN deletion. |
|
Custom filename for VTP configuration storage. Default is “vlan.dat” in the flash file system. Maximum 244 characters for custom filenames. Useful for backup and recovery procedures. Should include full path if not in default location. NOTE - Due to API limitations, this parameter does not support empty string values (“”) for resetting to default. To reset this parameter, the entire VTP configuration has to be reset using the “deleted” state. |
|
VTP domain name for switch participation. Maximum 32 characters for VTP domains. All switches in the same domain share VLAN information. Case-sensitive and must match exactly across all domain switches. Required for VTP version 3 operation. Once domain name is set, it can be updated but cannot be reset. |
|
VTP operational mode for this switch.
Choose based on network role and VLAN management strategy. VTP modes SERVER and CLIENT do not support extended range VLANs (1006-4094). If extended range VLANs are configured on the device, VTP mode must be set to TRANSPARENT or OFF. Choices:
|
|
Enable VTP pruning to optimize bandwidth usage. When true, restricts flooded traffic to only necessary trunk links. Reduces unnecessary broadcast traffic in the VTP domain. Only affects VLANs 2-1001; VLAN 1 and extended VLANs are not pruned. Can only be configured when “vtp_mode” is “SERVER”. Choices:
|
|
Interface to use as the source for VTP updates. Specifies which interface IP becomes the VTP updater address. Useful for identifying which switch made the last update. Should be a consistently available interface like a loopback. Format interface type and number (Example, “GigabitEthernet1/0/1”). NOTE - Due to API limitations, this parameter does not support empty string values (“”) for resetting to default. To reset this parameter, the entire VTP configuration has to be reset using the “deleted” state. |
|
VTP protocol version to use.
Higher versions provide more features but require compatible switches. Choices:
|
|
Set to true to verify the Cisco Catalyst Center configuration after applying the playbook configuration. Choices:
|
|
Defines the timeout in seconds for API calls to retrieve task details. If the task details are not received within this period, the process will end, and a timeout notification will be logged. Default: |
|
Indicates whether debugging is enabled in the Cisco Catalyst Center SDK. Choices:
|
|
The hostname of the Cisco Catalyst Center. |
|
Flag to enable/disable playbook execution logging. When true and dnac_log_file_path is provided, - Create the log file at the execution location with the specified name. When true and dnac_log_file_path is not provided, - Create the log file at the execution location with the name ‘dnac.log’. When false, - Logging is disabled. If the log file doesn’t exist, - It is created in append or write mode based on the “dnac_log_append” flag. If the log file exists, - It is overwritten or appended based on the “dnac_log_append” flag. Choices:
|
|
Determines the mode of the file. Set to True for ‘append’ mode. Set to False for ‘write’ mode. Choices:
|
|
Governs logging. Logs are recorded if dnac_log is True. If path is not specified, - When ‘dnac_log_append’ is True, ‘dnac.log’ is generated in the current Ansible directory; logs are appended. - When ‘dnac_log_append’ is False, ‘dnac.log’ is generated; logs are overwritten. If path is specified, - When ‘dnac_log_append’ is True, the file opens in append mode. - When ‘dnac_log_append’ is False, the file opens in write (w) mode. - In shared file scenarios, without append mode, content is overwritten after each module execution. - For a shared log file, set append to False for the 1st module (to overwrite); for subsequent modules, set append to True. Default: |
|
Sets the threshold for log level. Messages with a level equal to or higher than this will be logged. Levels are listed in order of severity [CRITICAL, ERROR, WARNING, INFO, DEBUG]. CRITICAL indicates serious errors halting the program. Displays only CRITICAL messages. ERROR indicates problems preventing a function. Displays ERROR and CRITICAL messages. WARNING indicates potential future issues. Displays WARNING, ERROR, CRITICAL messages. INFO tracks normal operation. Displays INFO, WARNING, ERROR, CRITICAL messages. DEBUG provides detailed diagnostic info. Displays all log messages. Default: |
|
The password for authentication at the Cisco Catalyst Center. |
|
Specifies the port number associated with the Cisco Catalyst Center. Default: |
|
Specifies the interval in seconds between successive calls to the API to retrieve task details. Default: |
|
The username for authentication at the Cisco Catalyst Center. Default: |
|
Flag to enable or disable SSL certificate verification. Choices:
|
|
Specifies the version of the Cisco Catalyst Center that the SDK should use. Default: |
|
The desired state of Cisco Catalyst Center after module execution. Choices:
|
|
Flag for Cisco Catalyst Center SDK to enable the validation of request bodies against a JSON schema. Choices:
|
Notes
Note
SDK Method used are - devices.get_device_list - wired.Wired.get_configurations_for_an_intended_layer2_feature_on_a_wired_device - wired.Wired.get_configurations_for_a_deployed_layer2_feature_on_a_wired_device - wired.Wired.create_configurations_for_an_intended_layer2_feature_on_a_wired_device - wired.Wired.update_configurations_for_an_intended_layer2_feature_on_a_wired_device - wired.Wired.delete_configurations_for_an_intended_layer2_feature_on_a_wired_device - wired.Wired.deploy_the_intended_configuration_features_on_a_wired_device
Paths used are - GET /dna/intent/api/v1/networkDevices - GET /dna/intent/api/v1/networkDevices/${id}/configFeatures/intended/layer2/${feature} - GET /dna/intent/api/v1/networkDevices/${id}/configFeatures/intended/layer2/${feature} - POST /dna/intent/api/v1/networkDevices/${id}/configFeatures/intended/layer2/${feature} - PUT /dna/intent/api/v1/networkDevices/${id}/configFeatures/intended/layer2/${feature} - DELETE /dna/intent/api/v1/networkDevices/${id}/configFeatures/intended/layer2/${feature} - POST /dna/intent/api/v1/networkDevices/${id}/configFeatures/deploy
Does not support
check_modeThe plugin runs on the control node and does not use any ansible connection plugins instead embedded connection manager from Cisco Catalyst Center SDK
The parameters starting with dnac_ are used by the Cisco Catalyst Center Python SDK to establish the connection
Examples
- name: Create multiple VLANs with comprehensive settings
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: merged
config:
- ip_address: 204.1.2.3
device_collection_status_check: false
layer2_configuration:
vlans:
- vlan_id: 100
vlan_name: Production_Network
vlan_admin_status: true
- vlan_id: 200
vlan_name: Development_Network
vlan_admin_status: true
- vlan_id: 300
vlan_name: Guest_Network
vlan_admin_status: false
- name: Update VLAN settings
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: merged
config:
- ip_address: 204.1.2.3
layer2_configuration:
vlans:
- vlan_id: 300
vlan_name: Guest_Network_Updated
vlan_admin_status: true
- name: Delete VLANs
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: deleted
config:
- ip_address: 204.1.2.3
layer2_configuration:
vlans:
- vlan_id: 300
- name: Configure CDP discovery protocol
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: merged
config:
- ip_address: 204.1.2.3
layer2_configuration:
cdp:
cdp_admin_status: true
cdp_hold_time: 180
cdp_timer: 60
cdp_advertise_v2: true
cdp_log_duplex_mismatch: true
- name: Configure LLDP discovery protocol
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: merged
config:
- ip_address: 204.1.2.3
layer2_configuration:
lldp:
lldp_admin_status: true
lldp_hold_time: 240
lldp_timer: 30
lldp_reinitialization_delay: 3
- name: Configure Spanning Tree Protocol
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: merged
config:
- ip_address: 204.1.2.3
layer2_configuration:
stp:
stp_mode: MST
stp_portfast_mode: ENABLE
stp_bpdu_guard: true
stp_bpdu_filter: false
stp_backbonefast: true
stp_extended_system_id: true
stp_logging: true
stp_loopguard: false
stp_transmit_hold_count: 8
stp_uplinkfast: false
stp_uplinkfast_max_update_rate: 200
stp_etherchannel_guard: true
stp_instances:
- stp_instance_vlan_id: 100
stp_instance_priority: 32768
enable_stp: true
stp_instance_max_age_timer: 20
stp_instance_hello_interval_timer: 2
stp_instance_forward_delay_timer: 15
- stp_instance_vlan_id: 200
stp_instance_priority: 16384
enable_stp: true
- name: Configure VLAN Trunking Protocol
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: merged
config:
- ip_address: 204.1.2.3
layer2_configuration:
vtp:
vtp_mode: TRANSPARENT
vtp_version: VERSION_2
vtp_domain_name: CORPORATE_DOMAIN
vtp_pruning: true
vtp_configuration_file_name: flash:vtp_config.dat
vtp_source_interface: Loopback0
- name: Configure DHCP Snooping
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: merged
config:
- ip_address: 204.1.2.3
layer2_configuration:
dhcp_snooping:
dhcp_admin_status: true
dhcp_snooping_vlans:
- 100
- 200
- 300
dhcp_snooping_glean: true
dhcp_snooping_database_agent_url: tftp://192.168.1.100/dhcp_binding.db
dhcp_snooping_database_timeout: 600
dhcp_snooping_database_write_delay: 300
dhcp_snooping_proxy_bridge_vlans:
- 100
- 200
- name: Configure IGMP Snooping for multicast
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: merged
config:
- ip_address: 204.1.2.3
layer2_configuration:
igmp_snooping:
enable_igmp_snooping: true
igmp_snooping_querier: false
igmp_snooping_querier_address: 192.168.1.10
igmp_snooping_querier_version: VERSION_2
igmp_snooping_querier_query_interval: 125
igmp_snooping_vlans:
- igmp_snooping_vlan_id: 100
enable_igmp_snooping: true
igmp_snooping_querier: false
igmp_snooping_querier_address: 192.168.1.11
igmp_snooping_querier_version: VERSION_2
igmp_snooping_querier_query_interval: 125
igmp_snooping_mrouter_port_list:
- GigabitEthernet1/0/1
- GigabitEthernet1/0/2
- igmp_snooping_vlan_id: 200
enable_igmp_snooping: true
igmp_snooping_querier: true
igmp_snooping_querier_version: VERSION_3
igmp_snooping_querier_query_interval: 90
- name: Configure MLD Snooping for IPv6 multicast
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: merged
config:
- ip_address: 204.1.2.3
layer2_configuration:
mld_snooping:
enable_mld_snooping: true
mld_snooping_querier: false
mld_snooping_querier_address: fe80::1
mld_snooping_querier_version: VERSION_2
mld_snooping_listener: true
mld_snooping_querier_query_interval: 125
mld_snooping_vlans:
- mld_snooping_vlan_id: 100
enable_mld_snooping: true
mld_snooping_enable_immediate_leave: false
mld_snooping_querier: false
mld_snooping_querier_address: fe80::10
mld_snooping_querier_version: VERSION_2
mld_snooping_querier_query_interval: 125
mld_snooping_mrouter_port_list:
- GigabitEthernet1/0/3
- GigabitEthernet1/0/4
- name: Configure 802.1X Authentication
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: merged
config:
- ip_address: 204.1.2.3
layer2_configuration:
authentication:
enable_dot1x_authentication: true
authentication_config_mode: NEW_STYLE
- name: Configure LACP and PAGP Port Channels
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: merged
config:
- ip_address: 204.1.2.3
layer2_configuration:
logical_ports:
port_channel_auto: false
port_channel_lacp_system_priority: 4096
port_channel_load_balancing_method: SRC_DST_MIXED_IP_PORT
port_channels:
- port_channel_protocol: LACP
port_channel_name: Port-channel1
port_channel_min_links: 2
port_channel_members:
- port_channel_interface_name: GigabitEthernet1/0/10
port_channel_mode: ACTIVE
port_channel_port_priority: 128
port_channel_rate: 30
- port_channel_interface_name: GigabitEthernet1/0/11
port_channel_mode: ACTIVE
port_channel_port_priority: 128
port_channel_rate: 30
- port_channel_protocol: PAGP
port_channel_name: Port-channel2
port_channel_min_links: 1
port_channel_members:
- port_channel_interface_name: GigabitEthernet1/0/12
port_channel_mode: DESIRABLE
port_channel_port_priority: 128
port_channel_learn_method: AGGREGATION_PORT
- name: Configure Access Port with authentication and security
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: merged
config:
- ip_address: 204.1.2.3
layer2_configuration:
port_configuration:
- interface_name: GigabitEthernet1/0/5
switchport_interface_config:
switchport_description: Access Port - Production Network
switchport_mode: ACCESS
access_vlan: 100
admin_status: true
voice_vlan: 200
vlan_trunking_interface_config:
enable_dtp_negotiation: false
protected: false
dot1x_interface_config:
dot1x_interface_authentication_order:
- DOT1X
- MAB
dot1x_interface_authentication_mode: OPEN
dot1x_interface_pae_type: AUTHENTICATOR
dot1x_interface_control_direction: BOTH
dot1x_interface_host_mode: MULTI_AUTHENTICATION
dot1x_interface_port_control: AUTO
dot1x_interface_inactivity_timer: 300
dot1x_interface_max_reauth_requests: 3
dot1x_interface_reauth_timer: 3600
mab_interface_config:
mab_interface_enable: true
stp_interface_config:
stp_interface_enable_portfast: true
stp_interface_enable_bpdu_guard: true
stp_interface_enable_bpdu_filter: false
stp_interface_enable_root_guard: false
stp_interface_enable_loop_guard: false
stp_interface_port_priority: 128
stp_interface_cost: 19
dhcp_snooping_interface_config:
dhcp_snooping_interface_rate_limit: 100
dhcp_snooping_interface_trust: true
cdp_interface_config:
cdp_interface_admin_status: true
cdp_interface_logging: true
lldp_interface_config:
lldp_interface_transmit: true
lldp_interface_receive: true
vtp_interface_config:
vtp_interface_admin_status: true
- name: Configure Trunk Port for inter-switch links
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: merged
config:
- ip_address: 204.1.2.3
layer2_configuration:
port_configuration:
- interface_name: GigabitEthernet1/0/6
switchport_interface_config:
switchport_description: Trunk Port - Inter-Switch Link
switchport_mode: TRUNK
allowed_vlans:
- 100
- 200
- 300
- 400
native_vlan_id: 100
admin_status: true
vlan_trunking_interface_config:
enable_dtp_negotiation: true
protected: true
pruning_vlan_ids:
- 300
- 400
stp_interface_config:
stp_interface_enable_portfast: false
stp_interface_enable_bpdu_guard: false
stp_interface_enable_bpdu_filter: false
stp_interface_enable_root_guard: true
stp_interface_enable_loop_guard: true
stp_interface_port_priority: 64
stp_interface_cost: 100
- name: Comprehensive network configuration with all Layer 2 features
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: merged
config:
- ip_address: 204.1.2.3
device_collection_status_check: false
layer2_configuration:
vlans:
- vlan_id: 10
vlan_name: Management
vlan_admin_status: true
- vlan_id: 20
vlan_name: Production
vlan_admin_status: true
- vlan_id: 30
vlan_name: Development
vlan_admin_status: true
- vlan_id: 40
vlan_name: Guest
vlan_admin_status: true
cdp:
cdp_admin_status: true
cdp_hold_time: 180
cdp_timer: 60
cdp_advertise_v2: true
cdp_log_duplex_mismatch: true
lldp:
lldp_admin_status: true
lldp_hold_time: 240
lldp_timer: 30
lldp_reinitialization_delay: 3
stp:
stp_mode: RSTP
stp_portfast_mode: ENABLE
stp_bpdu_guard: true
stp_bpdu_filter: false
stp_backbonefast: true
stp_extended_system_id: true
stp_logging: true
stp_instances:
- stp_instance_vlan_id: 10
stp_instance_priority: 32768
enable_stp: true
- stp_instance_vlan_id: 20
stp_instance_priority: 16384
enable_stp: true
vtp:
vtp_mode: SERVER
vtp_version: VERSION_2
vtp_domain_name: ENTERPRISE_DOMAIN
vtp_pruning: true
dhcp_snooping:
dhcp_admin_status: true
dhcp_snooping_vlans:
- 20
- 30
- 40
dhcp_snooping_glean: true
igmp_snooping:
enable_igmp_snooping: true
igmp_snooping_querier: false
igmp_snooping_querier_version: VERSION_2
igmp_snooping_vlans:
- igmp_snooping_vlan_id: 20
enable_igmp_snooping: true
igmp_snooping_querier: false
authentication:
enable_dot1x_authentication: true
authentication_config_mode: NEW_STYLE
logical_ports:
port_channel_auto: false
port_channel_lacp_system_priority: 8192
port_channel_load_balancing_method: SRC_DST_IP
port_channels:
- port_channel_protocol: LACP
port_channel_name: Port-channel10
port_channel_min_links: 2
port_channel_members:
- port_channel_interface_name: GigabitEthernet1/0/16
port_channel_mode: ACTIVE
port_channel_port_priority: 128
port_channel_rate: 30
- port_channel_interface_name: GigabitEthernet1/0/17
port_channel_mode: ACTIVE
port_channel_port_priority: 128
port_channel_rate: 30
port_configuration:
- interface_name: GigabitEthernet1/0/1
switchport_interface_config:
switchport_description: Management Port
switchport_mode: ACCESS
access_vlan: 10
admin_status: true
stp_interface_config:
stp_interface_enable_portfast: true
stp_interface_enable_bpdu_guard: true
dhcp_snooping_interface_config:
dhcp_snooping_interface_trust: true
- interface_name: GigabitEthernet1/0/2
switchport_interface_config:
switchport_description: Production User Port
switchport_mode: ACCESS
access_vlan: 20
admin_status: true
dot1x_interface_config:
dot1x_interface_authentication_order:
- DOT1X
- MAB
dot1x_interface_port_control: AUTO
stp_interface_config:
stp_interface_enable_portfast: true
- name: Reset CDP to default settings
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: deleted
config:
- ip_address: 204.1.2.3
layer2_configuration:
cdp: {}
- name: Reset LLDP to default settings
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: deleted
config:
- ip_address: 204.1.2.3
layer2_configuration:
lldp: {}
- name: Comprehensive cleanup of all Layer 2 configurations
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: deleted
config:
- ip_address: 204.1.2.3
layer2_configuration:
vlans:
- vlan_id: 10
- vlan_id: 20
- vlan_id: 30
- vlan_id: 40
- vlan_id: 100
- vlan_id: 200
- vlan_id: 300
cdp: {}
lldp: {}
vtp: {}
dhcp_snooping: {}
authentication: {}
- name: Configure using device hostname
cisco.dnac.wired_campus_automation_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
state: merged
config:
- hostname: switch01.example.com
device_collection_status_check: true
config_verification_wait_time: 15
layer2_configuration:
vlans:
- vlan_id: 100
vlan_name: Finance_VLAN
vlan_admin_status: true
cdp:
cdp_admin_status: true
cdp_hold_time: 200
cdp_timer: 90
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
A dictionary with with the response returned by the Cisco Catalyst Center Python SDK Returned: always Sample: |
|
A string with the response returned by the Cisco Catalyst Center Python SDK Returned: always Sample: |