config

list / elements=dictionary / required

A list containing detailed configurations for creating, updating, or deleting fabric sites or zones in a Software-Defined Access (SDA) environment. It also includes specifications for updating the authentication profile template for these sites. Each element in the list represents a specific operation to be performed on the SDA infrastructure, such as the addition, modification, or removal of fabric sites/zones, and modifications to authentication profiles.

fabric_sites

dictionary

A dictionary containing detailed configurations for managing REST Endpoints that will receive Audit log and Events from the Cisco Catalyst Center Platform. This dictionary is essential for specifying attributes and parameters required for the lifecycle management of fabric sites, zones, and associated authentication profiles.

apply_pending_events

boolean

Modifying an IP address pool used in a fabric causes the fabric to become outdated. An update is required to apply the IP address pool changes to the devices in the fabric site. The reconfiguration time depends on the number of devices. During an upgrade, any pending fabric updates are captured as pending fabric events and applied to the respective site. By default, this is set to False.

Choices:

• false
• true

authentication_profile

string

The authentication profile applied to the specified fabric. This profile determines the security posture and controls for network access within the site. Possible values include ‘Closed Authentication’, ‘Low Impact’, ‘No Authentication’, and ‘Open Authentication’. This setting is critical when creating or updating a fabric site or updating the authentication profile template.

fabric_type

string / required

Specifies the type of site to be managed within the SDA environment. The acceptable values are ‘fabric_site’ and ‘fabric_zone’. The default value is ‘fabric_site’, indicating the configuration of a broader network area, whereas ‘fabric_zone’ typically refers to a more specific segment within the site.

is_pub_sub_enabled

boolean

A boolean flag that indicates whether the pub/sub mechanism is enabled for control nodes in the fabric site. This feature is relevant only when creating or updating fabric sites, not fabric zones. When set to True, pub/sub facilitates more efficient communication and control within the site. The default is True for fabric sites, and this setting is not applicable for fabric zones.

Choices:

• false
• true

site_name_hierarchy

string / required

This name uniquely identifies the site for operations such as creating, updating, or deleting fabric sites or zones, as well as for updating the authentication profile template. This parameter is mandatory for any fabric site/zone management operation.

update_authentication_profile

dictionary

A dictionary containing the specific details required to update the authentication profile template associated with the fabric site. This includes advanced settings that fine-tune the authentication process and security controls within the site.

authentication_order

string

Specifies the primary method of authentication for the site. The available methods are ‘dot1x’ (IEEE 802.1X) and ‘mac’ (MAC-based authentication). This setting determines the order in which authentication mechanisms are attempted.

dot1x_fallback_timeout

integer

The timeout duration, in seconds, for falling back from 802.1X authentication. This value must be within the range of 3 to 120 seconds. It defines the period a device waits before attempting an alternative authentication method if 802.1X fails.

enable_bpu_guard

boolean

A boolean setting that enables or disables BPDU Guard. BPDU Guard provides a security mechanism by disabling a port when a BPDU (Bridge Protocol Data Unit) is received, protecting against potential network loops. This setting defaults to true and is applicable only when the authentication profile is set to “Closed Authentication”.

Choices:

• false
• true

number_of_hosts

string

Specifies the number of hosts allowed per port. The available options are ‘Single’ for one device per port or ‘Unlimited’ for multiple devices. This setting helps in controlling the network access and maintaining security.

pre_auth_acl

dictionary

Defines the Pre-Authentication Access Control List (ACL), which is applicable only when the ‘authentication_profile’ is set to “Low Impact.” This profile allows limited network access before authentication, and the ACL controls which traffic is allowed or blocked during this phase. It is not used with other profiles, as they typically block all traffic until authentication is complete.

access_contracts

list / elements=dictionary

A list of rules that specify how traffic is handled based on defined conditions. Each rule determines whether traffic is permitted or denied based on the contract parameters. If the ‘access_contracts’ is not provided or is set to null, the system will fall back on its default traffic handling settings. Additionally, up to 3 access control rules can be defined at a time.

action

string

The action to apply when traffic matches the rule. The allowed actions are ‘PERMIT’ (allow the traffic) and ‘DENY’ (block the traffic).

port

string

Specifies the symbolic port name to which the ACL rule applies. The allowed values are ‘domain’ (DNS), ‘bootpc’ (Bootstrap Protocol Client), and ‘bootps’ (Bootstrap Protocol Server). Each port name can only be used once in the Access Contract list.

protocol

string

The protocol that defines the type of traffic to be filtered by the access contract rule. The allowed protocols are ‘UDP’, ‘TCP’, and ‘TCP_UDP’. However, ‘TCP’ and ‘TCP_UDP’ are only allowed when the contract port is set to ‘domain’.

description

string

A brief text description of the Pre-Authentication ACL, outlining its purpose or providing relevant notes for administrators.

enabled

boolean

A boolean value indicating whether the Pre-Authentication ACL is enabled. When set to ‘true’, the ACL rules are enforced to control traffic before authentication.

Choices:

• false
• true

implicit_action

string

Specifies the default action for traffic that does not match any explicit ACL rules. Common actions include ‘PERMIT’ to allow unmatched traffic or ‘DENY’ to block it. Implicit behaviour unless overridden (defaults to “DENY”).

Default: "DENY"

wake_on_lan

boolean

A boolean value indicating whether the Wake-on-LAN feature is enabled. Wake-on-LAN allows the network to remotely wake up devices that are in a low-power state.

Choices:

• false
• true

config_verify

boolean

Set to True to verify the Cisco Catalyst Center configuration after applying the playbook configuration.

Choices:

• false ← (default)
• true

dnac_api_task_timeout

integer

Defines the timeout in seconds for API calls to retrieve task details. If the task details are not received within this period, the process will end, and a timeout notification will be logged.

Default: 1200

dnac_debug

boolean

Indicates whether debugging is enabled in the Cisco Catalyst Center SDK.

Choices:

• false ← (default)
• true

dnac_host

string / required

The hostname of the Cisco Catalyst Center.

dnac_log

boolean

Flag to enable/disable playbook execution logging.

When true and dnac_log_file_path is provided, - Create the log file at the execution location with the specified name.

When true and dnac_log_file_path is not provided, - Create the log file at the execution location with the name ‘dnac.log’.

When false, - Logging is disabled.

If the log file doesn’t exist, - It is created in append or write mode based on the “dnac_log_append” flag.

If the log file exists, - It is overwritten or appended based on the “dnac_log_append” flag.

Choices:

• false ← (default)
• true

dnac_log_append

boolean

Determines the mode of the file. Set to True for ‘append’ mode. Set to False for ‘write’ mode.

Choices:

• false
• true ← (default)

dnac_log_file_path

string

Governs logging. Logs are recorded if dnac_log is True.

If path is not specified, - When ‘dnac_log_append’ is True, ‘dnac.log’ is generated in the current Ansible directory; logs are appended. - When ‘dnac_log_append’ is False, ‘dnac.log’ is generated; logs are overwritten.

If path is specified, - When ‘dnac_log_append’ is True, the file opens in append mode. - When ‘dnac_log_append’ is False, the file opens in write (w) mode. - In shared file scenarios, without append mode, content is overwritten after each module execution. - For a shared log file, set append to False for the 1st module (to overwrite); for subsequent modules, set append to True.

Default: "dnac.log"

dnac_log_level

string

Sets the threshold for log level. Messages with a level equal to or higher than this will be logged. Levels are listed in order of severity [CRITICAL, ERROR, WARNING, INFO, DEBUG].

CRITICAL indicates serious errors halting the program. Displays only CRITICAL messages.

ERROR indicates problems preventing a function. Displays ERROR and CRITICAL messages.

WARNING indicates potential future issues. Displays WARNING, ERROR, CRITICAL messages.

INFO tracks normal operation. Displays INFO, WARNING, ERROR, CRITICAL messages.

DEBUG provides detailed diagnostic info. Displays all log messages.

Default: "WARNING"

dnac_password

string

The password for authentication at the Cisco Catalyst Center.

dnac_port

string

Specifies the port number associated with the Cisco Catalyst Center.

Default: "443"

dnac_task_poll_interval

integer

Specifies the interval in seconds between successive calls to the API to retrieve task details.

Default: 2

dnac_username

aliases: user

string

The username for authentication at the Cisco Catalyst Center.

Default: "admin"

dnac_verify

boolean

Flag to enable or disable SSL certificate verification.

Choices:

• false
• true ← (default)

dnac_version

string

Specifies the version of the Cisco Catalyst Center that the SDK should use.

Default: "2.2.3.3"

state

string

The desired state of Cisco Catalyst Center after the module execution.

Choices:

• "merged" ← (default)
• "deleted"

validate_response_schema

boolean

Flag for Cisco Catalyst Center SDK to enable the validation of request bodies against a JSON schema.

Choices:

• false
• true ← (default)

dnac_response

dictionary

A dictionary or list with the response returned by the Cisco Catalyst Center Python SDK

Returned: always

Sample: {"response": {"taskId": "string", "url": "string"}, "version": "string"}