saltext.vmware.states.nsxt_policy_tier1#
State module for NSX-T tier1 gateway
- saltext.vmware.states.nsxt_policy_tier1.present(name, hostname, username, password, display_name, verify_ssl=True, cert=None, arp_limit=None, type=None, cert_common_name=None, state=None, tags=None, id=None, description=None, default_rule_logging=None, disable_firewall=None, failover_mode=None, enable_standby_relocation=None, force_whitelisting=None, intersite_config=None, ipv6_ndra_profile_id=None, ipv6_ndra_profile_display_name=None, ipv6_dad_profile_id=None, ipv6_dad_profile_display_name=None, dhcp_config_id=None, dhcp_config_display_name=None, pool_allocation=None, qos_profile=None, route_advertisement_rules=None, route_advertisement_types=None, tier0_id=None, tier0_display_name=None, static_routes=None, locale_services=None)[source]#
Creates or Updates(if present with same display_name) tier 1 gateway and its sub-resources with the given specifications.
Note: To delete any subresource of tier 1 provide state parameter as absent
CLI Example:
salt vm_minion nsxt_policy_tier1.present hostname=nsxt-manager.local username=admin ...
nsxt_policy_tier1.present: - name: Create tier 1 gateway hostname: <hostname> username: <username> password: <password> cert: <certificate> verify_ssl: <False/True> arp_limit: <arp-limit> default_rule_logging: True/False description: <description> dhcp_config_id/dhcp_config_display_name: <dhcp-config-relay id or display-name> disable_firewall: False/True display_name: <display-name-for-tier-1> enable_standby_relocation: True/False failover_mode: <failover-mode> force_whitelisting: False/True id: <tier-1-id> ipv6_ndra_profile_id/ipv6_ndra_profile_display_name: <ipv6-ndra-profile-id or display-name> ipv6_dad_profile_id/ipv6_dad_profile_display_name: <ipv6-dad-profile-id or display-name> tier0_display_name/tier0_id: <tier0 to attach> pool_allocation: <pool allocation enum> type: <type enum> static_routes: - id: <static-route-id> network: <static-route-network-cidr> display_name: <static-route display name> description: <static route description> enabled_on_secondary: True/False next_hops: - admin_distance: <admin-distance-number> ip_address: <next-ho-ip-address locale_services: - id: <locale-service-id> display_name: <locale-service-display_name>, description: LS_By_Salt, route_redistribution_config: bgp_enabled: true/false ospf_enabled: true/false redistribution_rules: - name: <redestribution-rule-name>, route_redistribution_types: - <redestribution types enum> bfd_profile_display_name/bfd_profile_id: <bfd-profile-id or display name> edge_cluster_info: site_id: <infra-site-id> enforcementpoint_id: <infra-enforcement-id> edge_cluster_id/edge_cluster_display_name: <edge cluster id or display name> preferred_edge_nodes_info: - site_id: <infra-site-id> enforcementpoint_id: <infra-enforcement-id> edge_cluster_id/edge_cluster_display_name: <edge-cluster-id or display-name> edge_node_id/edge_hone_display_name: <edge-node-id or display-name> interfaces: - segment_id: T0GW_By_Salt1 ipv6_ndra_profile_display_name/ipv6_ndra_profile_id: <ipv6-ndra-profile-id or display-name> dhcp_config_id/dhcp_config_display_name: <dhcp-relay-config-id or display name> display_name: <interface display name> id: <interface id> description: <interface description mtu: <mtu number> subnets: - ip_addresses: - <ip-address> prefix_len: <prefix-len-number> urpf_mode: <urpf-mode-enum>
- hostname
The host name of NSX-T manager
- username
Username to connect to NSX-T manager
- password
Password to connect to NSX-T manager
- verify_ssl
Option to enable/disable SSL verification. Enabled by default. If set to False, the certificate validation is skipped.
- cert
(Optional) Path to the SSL client certificate file to connect to NSX-T manager. The certificate can be retrieved from browser.
- cert_common_name
(Optional) By default, the hostname parameter and the common name in certificate is compared for host name verification. If the client certificate common name and hostname do not match (in case of self-signed certificates), specify the certificate common name as part of this parameter. This value is then used to compare against
display_name:
- description:
Display name.
If resource ID is not specified, display_name will be used as ID.
required: true type: str
- state:
- description: present or absent keyword is used as an indetifier, default value is present.
If a user has provided absent that resource/sub-resource will be deleted
- tags:
description: Opaque identifiers meaningful to the API user. type: dict suboptions:
- scope:
description: Tag scope. required: true type: str
- tag:
description: Tag value. required: true type: str
- id:
description: Tier-1 ID required: false type: str
- description:
description: Tier-1 description type: str
- default_rule_logging:
- description: Enable logging for whitelisted rule.
Indicates if logging should be enabled for the default whitelisting rule.
default: false
- disable_firewall:
description: Disable or enable gateway fiewall.
default: False type: bool
failover_mode:
- description: Determines the behavior when a Tier-1 instance in
ACTIVE-STANDBY high-availability mode restarts after a failure. If set to PREEMPTIVE, the preferred node will take over, even if it causes another failure. If set to NON_PREEMPTIVE, then the instance that restarted will remain secondary. This property must not be populated unless the ha_mode property is set to ACTIVE_STANDBY.
choices:
‘NON_PREEMPTIVE’
‘PREEMPTIVE’
type: str
enable_standby_relocation:
- description:
Flag to enable standby service router relocation.
Standby relocation is not enabled until edge cluster is configured for Tier1.
type: bool default: false
force_whitelisting:
- description: Flag to add whitelisting FW rule during
realization.
default: False type: bool
intersite_config:
- description: Inter site routing configuration when the gateway is
streched.
type: dict suboptions:
fallback_sites:
- description: Fallback site to be used as new primary
site on current primary site failure. Disaster recovery must be initiated via API/UI. Fallback site configuration is supported only for T0 gateway. T1 gateway will follow T0 gateway’s primary site during disaster recovery.
type: list
intersite_transit_subnet:
- description:
Transit subnet in CIDR format
IPv4 subnet for inter-site transit segment connecting service routers across sites for stretched gateway. For IPv6 link local subnet is auto configured
type: str default: “169.254.32.0/20”
last_admin_active_epoch:
- description:
Epoch of last time admin changing active LocaleServices
Epoch(in seconds) is auto updated based on system current timestamp when primary locale service is updated. It is used for resolving conflict during site failover. If system clock not in sync then User can optionally override this. New value must be higher than the current value.
type: int
primary_site_path:
- description:
Primary egress site for gateway.
Primary egress site for gateway. T0/T1 gateway in Active/Standby mode supports stateful services on primary site. In this mode primary site must be set if gateway is stretched to more than one site. For T0 gateway in Active/Active primary site is optional field. If set then secondary site prefers routes learned from primary over locally learned routes. This field is not applicable for T1 gateway with no services
type: str
ipv6_ndra_profile_id:
- description: IPv6 NDRA profile configuration on Tier1.
Either or both NDRA and/or DAD profiles can be configured. Related attribute ipv6_dad_profile_id.
type: str
ipv6_ndra_profile_display_name:
- description: Same as ipv6_ndra_profile_id. Either one can be specified.
If both are specified, ipv6_ndra_profile_id takes precedence.
type: str
ipv6_dad_profile_id:
- description: IPv6 DRA profile configuration on Tier1.
Either or both NDRA and/or DAD profiles can be configured. Related attribute ipv6_ndra_profile_id.
type: str
ipv6_dad_profile_display_name:
- description: Same as ipv6_dad_profile_id. Either one can be specified.
If both are specified, ipv6_dad_profile_id takes precedence.
type: str
dhcp_config_id:
- description: DHCP configuration for Segments connected to
Tier-1. DHCP service is configured in relay mode.
type: str
dhcp_config_display_name:
- description: Same as dhcp_config_id. Either one can be specified.
If both are specified, dhcp_config_id takes precedence.
type: str
pool_allocation:
- description:
Edge node allocation size
Supports edge node allocation at different sizes for routing and load balancer service to meet performance and scalability requirements.
ROUTING - Allocate edge node to provide routing services.
LB_SMALL, LB_MEDIUM, LB_LARGE, LB_XLARGE - Specify size of load balancer service that will be configured on TIER1 gateway.
type: str
choices:
ROUTING
LB_SMALL
LB_MEDIUM
LB_LARGE
LB_XLARGE
default: ROUTING
qos_profile:
- description: QoS Profile configuration for Tier1 router link connected
to Tier0 gateway.
type: dict
suboptions:
- egress_qos_profile_path:
- description: Policy path to gateway QoS profile in egress
direction.
type: str
- ingress_qos_profile_path:
- description: Policy path to gateway QoS profile in ingress
direction.
type: str
route_advertisement_rules:
description: Route advertisement rules and filtering
type: list
suboptions:
- action:
- description:
Action to advertise filtered routes to the connected Tier0 gateway.
- choices:
PERMIT: Enables the advertisment
DENY: Disables the advertisement
type: str required: true
- name:
description: Display name for rule type: str required: true
- prefix_operator:
- description:
Prefix operator to filter subnets.
GE prefix operator filters all the routes with prefix length greater than or equal to the subnets configured.
EQ prefix operator filter all the routes with prefix length equal to the subnets configured.
type: str
choices:
GE
EQ
route_advertisement_types:
- description:
Enable different types of route advertisements.
By default, Routes to IPSec VPN local-endpoint subnets (TIER1_IPSEC_LOCAL_ENDPOINT) are advertised if no value is supplied here.
type: list choices:
‘TIER1_STATIC_ROUTES’
‘TIER1_CONNECTED’
‘TIER1_NAT’
‘TIER1_LB_VIP’
‘TIER1_LB_SNAT’
‘TIER1_DNS_FORWARDER_IP’
‘TIER1_IPSEC_LOCAL_ENDPOINT’
- subnets:
description: Network CIDRs to be routed. type: list
route_advertisement_types:
- description:
Enable different types of route advertisements.
By default, Routes to IPSec VPN local-endpoint subnets (TIER1_IPSEC_LOCAL_ENDPOINT) are advertised if no value is supplied here.
type: list choices:
‘TIER1_STATIC_ROUTES’
‘TIER1_CONNECTED’
‘TIER1_NAT’
‘TIER1_LB_VIP’
‘TIER1_LB_SNAT’
‘TIER1_DNS_FORWARDER_IP’
‘TIER1_IPSEC_LOCAL_ENDPOINT’
tier0_id:
description: Tier-1 connectivity to Tier-0 type: str
tier0_display_name:
- description: Same as tier0_id. Either one can be specified.
If both are specified, tier0_id takes precedence.
type: str
static_routes:
type: list element: dict description: This is a list of Static Routes that need to be created,updated, or deleted
suboptions:
- id:
description: Tier-1 Static Route ID. required: false
type: str
- display_name:
- description:
Tier-1 Static Route display name.
Either this or id must be specified. If both are specified, id takes precedence.
required: true type: str
description:
- description:
Tier-1 Static Route description.
type: str
state:
- description:
State can be either ‘present’ or ‘absent’. ‘present’ is used to create or update resource. ‘absent’ is used to delete resource.
Must be specified in order to modify the resource
choices:
present
absent
- network:
description: Network address in CIDR format required: true type: str
- next_hops:
description: Next hop routes for network type: list elements: dict
suboptions:
- admin_distance:
description: Cost associated with next hop route type: int default: 1
- ip_address:
description: Next hop gateway IP address type: str
- scope:
- description:
Interface path associated with current route
For example, specify a policy path referencing the IPSec VPN Session
type: list
- tags:
description: Opaque identifiers meaningful to the API user type: dict suboptions:
scope:
description: Tag scope. required: true type: str
- tag:
description: Tag value. required: true type: str
- locale_services:
type: list element: dict description: This is a list of Locale Services that need to be created,updated, or deleted
suboptions:
- id:
description: Tier-1 Locale Service ID type: str
- display_name:
- description:
Tier-1 Locale Service display name.
Either this or id must be specified. If both are specified, id takes precedence.
required: true type: str
description:
description: Tier-1 Locale Service description type: str
state:
- description:
State can be either ‘present’ or ‘absent’. ‘present’ is used to create or update resource. ‘absent’ is used to delete resource.
Required if I(segp_id != null)
choices:
present
absent
- tags:
description: Opaque identifiers meaningful to the API user. type: dict suboptions:
scope:
description: Tag scope. required: true type: str
- tag:
description: Tag value. required: true type: str
- edge_cluster_info:
- description: Used to create path to edge cluster. Auto-assigned
if associated enforcement-point has only one edge cluster.
type: dict suboptions:
site_id:
description: site_id where edge cluster is located default: default type: str
- enforcementpoint_id:
- description: enforcementpoint_id where edge cluster is
located
default: default type: str
- edge_cluster_id:
description: ID of the edge cluster
required: true type: str
- edge_cluster_display_name:
- description:
display name of the edge cluster.
Either this or edge_cluster_id must be specified. If both are specified, edge_cluster_id takes precedence
type: str
preferred_edge_nodes_info:
- description: Used to create paths to edge nodes. Specified edge
is used as preferred edge cluster member when failover mode is set to PREEMPTIVE, not applicable otherwise.
type: list suboptions:
site_id:
description: site_id where edge node is located default: default type: str
enforcementpoint_id:
- description: enforcementpoint_id where edge node is
located
default: default type: str
- edge_cluster_id:
- description: edge_cluster_id where edge node is
located
required: true type: str
edge_cluster_display_name:
- description:
display name of the edge cluster.
either this or edge_cluster_id must be specified. If both are specified, edge_cluster_id takes precedence
type: str
edge_node_id:
description: ID of the edge node type: str
edge_node_display_name:
- description:
Display name of the edge node.
either this or edge_node_id must be specified. If both are specified, edge_node_id takes precedence
type: str
- route_redistribution_types:
- description:
Enable redistribution of different types of routes on Tier-0.
This property is only valid for locale-service under Tier-0.
This property is deprecated, please use “route_redistribution_config” property to configure redistribution rules.
choices:
- TIER0_STATIC - Redistribute user added
static routes.
- TIER0_CONNECTED - Redistribute all
subnets configured on Interfaces and routes related to TIER0_ROUTER_LINK, TIER0_SEGMENT, TIER0_DNS_FORWARDER_IP, TIER0_IPSEC_LOCAL_IP, TIER0_NAT types.
- TIER1_STATIC - Redistribute all subnets
and static routes advertised by Tier-1s.
- TIER0_EXTERNAL_INTERFACE - Redistribute
external interface subnets on Tier-0.
- TIER0_LOOPBACK_INTERFACE - Redistribute
loopback interface subnets on Tier-0.
- TIER0_SEGMENT - Redistribute subnets
configured on Segments connected to Tier-0.
- TIER0_ROUTER_LINK - Redistribute router
link port subnets on Tier-0.
- TIER0_SERVICE_INTERFACE - Redistribute
Tier0 service interface subnets.
- TIER0_DNS_FORWARDER_IP - Redistribute DNS
forwarder subnets.
- TIER0_IPSEC_LOCAL_IP - Redistribute IPSec
subnets.
- TIER0_NAT - Redistribute NAT IPs owned by
Tier-0.
- TIER0_EVPN_TEP_IP - Redistribute EVPN
local endpoint subnets on Tier-0.
- TIER1_NAT - Redistribute NAT IPs
advertised by Tier-1 instances.
- TIER1_LB_VIP - Redistribute LB VIP IPs
advertised by Tier-1 instances.
- TIER1_LB_SNAT - Redistribute LB SNAT IPs
advertised by Tier-1 instances.
- TIER1_DNS_FORWARDER_IP - Redistribute DNS
forwarder subnets on Tier-1 instances.
- TIER1_CONNECTED - Redistribute all
subnets configured on Segments and Service Interfaces.
- TIER1_SERVICE_INTERFACE - Redistribute
Tier1 service interface subnets.
- TIER1_SEGMENT - Redistribute subnets
configured on Segments connected to Tier1.
- TIER1_IPSEC_LOCAL_ENDPOINT - Redistribute
IPSec VPN local-endpoint subnets advertised by TIER1.
type: list
route_redistribution_config:
- description: Configure all route redistribution properties like
enable/disable redistributon, redistribution rule and so on.
type: dict
suboptions:
bgp_enabled:
description: Flag to enable route redistribution. type: bool default: false
redistribution_rules:
description: List of redistribution rules. type: list elements: dict
suboptions:
- name:
description: Rule name type: str
- route_map_path:
- description: Route map to be associated with
the redistribution rule
type: str
- route_redistribution_types:
description: Tier-0 route redistribution types
choices:
TIER0_STATIC - Redistribute user added static routes.
TIER0_CONNECTED - Redistribute all subnets configured on Interfaces and routes related to TIER0_ROUTER_LINK, TIER0_SEGMENT, TIER0_DNS_FORWARDER_IP, TIER0_IPSEC_LOCAL_IP, TIER0_NAT types.
TIER1_STATIC - Redistribute all subnets and static routes advertised by Tier-1s.
TIER0_EXTERNAL_INTERFACE - Redistribute external interface subnets on Tier-0.
TIER0_LOOPBACK_INTERFACE - Redistribute loopback interface subnets on Tier-0.
TIER0_SEGMENT - Redistribute subnets configured on Segments connected to Tier-0.
TIER0_ROUTER_LINK - Redistribute router link port subnets on Tier-0.
TIER0_SERVICE_INTERFACE - Redistribute Tier0 service interface subnets.
TIER0_DNS_FORWARDER_IP - Redistribute DNS forwarder subnets.
TIER0_IPSEC_LOCAL_IP - Redistribute IPSec subnets.
TIER0_NAT - Redistribute NAT IPs owned by Tier-0.
TIER0_EVPN_TEP_IP - Redistribute EVPN local endpoint subnets on Tier-0.
TIER1_NAT - Redistribute NAT IPs advertised by Tier-1 instances.
TIER1_LB_VIP - Redistribute LB VIP IPs advertised by Tier-1 instances.
TIER1_LB_SNAT - Redistribute LB SNAT IPs advertised by Tier-1 instances.
TIER1_DNS_FORWARDER_IP - Redistribute DNS forwarder subnets on Tier-1 instances.
TIER1_CONNECTED - Redistribute all subnets configured on Segments and Service Interfaces.
TIER1_SERVICE_INTERFACE - Redistribute Tier1 service interface subnets.
TIER1_SEGMENT - Redistribute subnets configured on Segments connected to Tier1.
TIER1_IPSEC_LOCAL_ENDPOINT - Redistribute IPSec VPN local-endpoint subnets advertised by TIER1.
type: list
- ha_vip_configs:
type: list elements: dict description:
Array of HA VIP Config.
This configuration can be defined only for Active-Standby Tier0 gateway to provide redundancy. For mulitple external interfaces, multiple HA VIP configs must be defined and each config will pair exactly two external interfaces. The VIP will move and will always be owned by the Active node. When this property is configured, configuration of dynamic-routing is not allowed.
suboptions:
enabled:
description: Flag to enable this HA VIP config. default: true type: bool
- external_interface_info:
type: list elements: dict description: Array of external interface info external_interface_paths:
- description:
Policy paths to Tier0 external interfaces for providing redundancy
Policy paths to Tier0 external interfaces which are to be paired to provide redundancy. Floating IP will be owned by one of these interfaces depending upon which edge node is Active.
minimum 2 values should be present
type: list
tier0_display_name:
- description: tier0 display name to create the external
interface paths. Can be skipped if external interface paths are provided
- locale-service_display_name:
- description: locale-service display name attached to the provided
tier0. Can be skipped if external interface paths are provided
- ls_interface_display_name:
- description: interface attached to the provided tier0 and locale-service
Can be skipped if external interface paths are provided
vip_subnets:
- description:
VIP floating IP address subnets
Array of IP address subnets which will be used as floating IP addresses.
type: list
suboptions:
ip_addresses:
description: IP addresses assigned to interface type: list required: true
- prefix_len:
description: Subnet prefix length type: int required: true
- interfaces:
type: list element: dict
description: Specify the interfaces associated with the Gateway
suboptions:
- id:
description: Tier-1 Interface ID required: false type: str
- description:
description: Tier-1 Interface description type: str
- display_name:
- description:
Tier-1 Interface display name
Either this or id must be specified. If both are specified, id takes precedence.
required: false type: str
- state:
- description:
State can be either ‘present’ or ‘absent’. ‘present’ is used to create or update resource. ‘absent’ is used to delete resource.
Required if I(segp_id != null).
choices:
present
absent
tags:
- description: Opaque identifiers meaningful to the API
user
type: dict suboptions:
- scope:
description: Tag scope. required: true type: str
- tag:
description: Tag value. required: true type: str
ipv6_ndra_profile_id:
- description:
Configrue IPv6 NDRA profile. Only one NDRA profile can be configured
Required if I(id != null)
type: str
- mtu:
- description:
MTU size
Maximum transmission unit (MTU) specifies the size of the largest packet that a network protocol can transmit.
type: int
segment_id:
- description:
Specify Segment to which this interface is connected to.
Required if I(id != null)
type: str
segment_display_name:
- description:
Same as segment_id
Either this or segment_id must be specified. If both are specified, segment_id takes precedence.
type: str
subnets:
- description:
IP address and subnet specification for interface
Specify IP address and network prefix for interface
Required if I(id != null)
type: list elements: dict
suboptions:
- ip_addresses:
description: IP addresses assigned to interface type: str
- prefix_len:
description: Subnet prefix length type: str
- dhcp_config_id:
description: id of referenced dhcp-relay-config type: str
- dhcp_display_name:
description: name of referenced dhcp-relay-config
- urpf_mode:
description: Unicast Reverse Path Forwarding mode type: str requires: False choices:
NONE
STRICT
default: STRICT
- saltext.vmware.states.nsxt_policy_tier1.absent(name, hostname, username, password, display_name, verify_ssl=True, cert=None, cert_common_name=None)[source]#
Deletes tier1 gateway with the given display_name and all its sub-resources
CLI Example:
salt vm_minion nsxt_policy_tier1.absent hostname=nsxt-manager.local username=admin ... delete_tier1: nsxt_policy_tier1.absent: - name: <Name of the operation> hostname: <hostname> username: <username> password: <password> display_name: <display name of tier1 gateway> cert: <certificate> verify_ssl: <False/True> name Name of the operation to perform hostname The host name of NSX-T manager username Username to connect to NSX-T manager password Password to connect to NSX-T manager display_name Display name of the tier1 gateway to delete cert (Optional) Path to the SSL certificate file to connect to NSX-T manager verify_ssl (Optional) Option to enable/disable SSL verification. Enabled by default. If set to False, the certificate validation is skipped. cert (Optional) Path to the SSL certificate file to connect to NSX-T manager. The certificate can be retrieved from browser. cert_common_name (Optional) By default, the hostname parameter and the common name in certificate is compared for host name verification. If the client certificate common name and hostname do not match (in case of self-signed certificates), specify the certificate common name as part of this parameter. This value is then used to compare against certificate common name.