diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ethernet-interfaces.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ethernet-interfaces.md
index b03984667d1..d2603791961 100644
--- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ethernet-interfaces.md
+++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ethernet-interfaces.md
@@ -171,6 +171,15 @@ sFlow is disabled.
| --------- | --------------- | -----------| --------- |
| Ethernet16 | 111-112 | 110 | out |
+##### TCP MSS Clamping
+
+| Interface | Ipv4 Segment Size | Ipv6 Segment Size | Direction |
+| --------- | ----------------- | ----------------- | --------- |
+| Ethernet1 | 70 | 75 | egress |
+| Ethernet2 | 70 | - | ingress |
+| Ethernet3 | - | 65 | - |
+| Ethernet4 | 65 | - | - |
+
##### Transceiver Settings
| Interface | Transceiver Frequency | Media Override |
@@ -369,6 +378,7 @@ interface Ethernet1
ip igmp host-proxy access-list ACL2
ip igmp host-proxy report-interval 2
ip igmp host-proxy version 2
+ tcp mss ceiling ipv4 70 ipv6 75 egress
switchport port-security
priority-flow-control on
priority-flow-control priority 5 drop
@@ -383,6 +393,7 @@ interface Ethernet2
switchport trunk allowed vlan 110-111,210-211
switchport mode trunk
switchport
+ tcp mss ceiling ipv4 70 ingress
multicast ipv4 boundary ACL_MULTICAST
multicast ipv6 boundary ACL_V6_MULTICAST out
multicast ipv4 static
@@ -407,6 +418,7 @@ interface Ethernet3
ipv6 nd prefix 2345:ABCD:3FE0::1/96 infinite 50 no-autoconfig
ipv6 nd prefix 2345:ABCD:3FE0::2/96 50 infinite
ipv6 nd prefix 2345:ABCD:3FE0::3/96 100000 no-autoconfig
+ tcp mss ceiling ipv6 65
switchport port-security
no switchport port-security mac-address maximum disabled
switchport port-security vlan 1 mac-address maximum 3
@@ -428,6 +440,7 @@ interface Ethernet4
ipv6 address FE80:FEA::AB65/64 link-local
ipv6 nd ra disabled
ipv6 nd managed-config-flag
+ tcp mss ceiling ipv4 65
ipv6 access-group IPv6_ACL_IN in
ipv6 access-group IPv6_ACL_OUT out
multicast ipv4 boundary 224.0.1.0/24 out
diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ethernet-interfaces.cfg b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ethernet-interfaces.cfg
index 320f69a961e..7be8c428e5a 100644
--- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ethernet-interfaces.cfg
+++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ethernet-interfaces.cfg
@@ -31,6 +31,7 @@ interface Ethernet1
ip igmp host-proxy access-list ACL2
ip igmp host-proxy report-interval 2
ip igmp host-proxy version 2
+ tcp mss ceiling ipv4 70 ipv6 75 egress
switchport port-security
priority-flow-control on
priority-flow-control priority 5 drop
@@ -45,6 +46,7 @@ interface Ethernet2
switchport trunk allowed vlan 110-111,210-211
switchport mode trunk
switchport
+ tcp mss ceiling ipv4 70 ingress
multicast ipv4 boundary ACL_MULTICAST
multicast ipv6 boundary ACL_V6_MULTICAST out
multicast ipv4 static
@@ -69,6 +71,7 @@ interface Ethernet3
ipv6 nd prefix 2345:ABCD:3FE0::1/96 infinite 50 no-autoconfig
ipv6 nd prefix 2345:ABCD:3FE0::2/96 50 infinite
ipv6 nd prefix 2345:ABCD:3FE0::3/96 100000 no-autoconfig
+ tcp mss ceiling ipv6 65
switchport port-security
no switchport port-security mac-address maximum disabled
switchport port-security vlan 1 mac-address maximum 3
@@ -90,6 +93,7 @@ interface Ethernet4
ipv6 address FE80:FEA::AB65/64 link-local
ipv6 nd ra disabled
ipv6 nd managed-config-flag
+ tcp mss ceiling ipv4 65
ipv6 access-group IPv6_ACL_IN in
ipv6 access-group IPv6_ACL_OUT out
multicast ipv4 boundary 224.0.1.0/24 out
diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ethernet-interfaces.yml b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ethernet-interfaces.yml
index 7440fdd3049..f7b6a7174b1 100644
--- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ethernet-interfaces.yml
+++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ethernet-interfaces.yml
@@ -29,6 +29,10 @@ ethernet_interfaces:
bgp:
session_tracker: ST1
ip_verify_unicast_source_reachable_via: rx
+ tcp_mss_ceiling:
+ ipv4_segment_size: 70
+ ipv6_segment_size: 75
+ direction: egress
switchport:
port_security:
enabled: true
@@ -66,6 +70,9 @@ ethernet_interfaces:
description: SRV-POD02_Eth1
mode: trunk
vlans: 110-111,210-211
+ tcp_mss_ceiling:
+ ipv4_segment_size: 70
+ direction: ingress
multicast:
ipv4:
static: true
@@ -128,6 +135,8 @@ ethernet_interfaces:
priority_flow_control:
enabled: false
spanning_tree_guard: root
+ tcp_mss_ceiling:
+ ipv6_segment_size: 65
switchport:
port_security:
mac_address_maximum:
@@ -155,6 +164,8 @@ ethernet_interfaces:
priority_flow_control:
enabled: true
spanning_tree_guard: disabled
+ tcp_mss_ceiling:
+ ipv4_segment_size: 65
multicast:
ipv4:
static: true
diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ethernet-interfaces.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ethernet-interfaces.md
index d0578e5a3d6..7ab88329a20 100644
--- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ethernet-interfaces.md
+++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ethernet-interfaces.md
@@ -176,6 +176,10 @@
| [ interval](## "ethernet_interfaces.[].pim.ipv4.hello.interval") | Integer | | | Min: 1
Max: 65535 | PIM hello interval in seconds. |
| [ mac_security](## "ethernet_interfaces.[].mac_security") | Dictionary | | | | |
| [ profile](## "ethernet_interfaces.[].mac_security.profile") | String | | | | |
+ | [ tcp_mss_ceiling](## "ethernet_interfaces.[].tcp_mss_ceiling") | Dictionary | | | | The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header
of TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface. |
+ | [ ipv4_segment_size](## "ethernet_interfaces.[].tcp_mss_ceiling.ipv4_segment_size") | Integer | | | Min: 64
Max: 65475 | |
+ | [ ipv6_segment_size](## "ethernet_interfaces.[].tcp_mss_ceiling.ipv6_segment_size") | Integer | | | Min: 64
Max: 65475 | |
+ | [ direction](## "ethernet_interfaces.[].tcp_mss_ceiling.direction") | String | | | Valid Values:
- egress
- ingress | |
| [ channel_group](## "ethernet_interfaces.[].channel_group") | Dictionary | | | | |
| [ id](## "ethernet_interfaces.[].channel_group.id") | Integer | | | | |
| [ mode](## "ethernet_interfaces.[].channel_group.mode") | String | | | Valid Values:
- on
- active
- passive | |
@@ -725,6 +729,13 @@
interval:
mac_security:
profile:
+
+ # The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header
+ # of TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface.
+ tcp_mss_ceiling:
+ ipv4_segment_size:
+ ipv6_segment_size:
+ direction:
channel_group:
id:
mode:
diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json
index 4eebfe35a5d..7da77f97ac2 100644
--- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json
+++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.jsonschema.json
@@ -3792,6 +3792,37 @@
},
"title": "MAC Security"
},
+ "tcp_mss_ceiling": {
+ "type": "object",
+ "description": "The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header\nof TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface.",
+ "properties": {
+ "ipv4_segment_size": {
+ "type": "integer",
+ "minimum": 64,
+ "maximum": 65475,
+ "title": "IPv4 Segment Size"
+ },
+ "ipv6_segment_size": {
+ "type": "integer",
+ "minimum": 64,
+ "maximum": 65475,
+ "title": "IPv6 Segment Size"
+ },
+ "direction": {
+ "type": "string",
+ "enum": [
+ "egress",
+ "ingress"
+ ],
+ "title": "Direction"
+ }
+ },
+ "additionalProperties": false,
+ "patternProperties": {
+ "^_.+$": {}
+ },
+ "title": "TCP Mss Ceiling"
+ },
"channel_group": {
"type": "object",
"properties": {
diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml
index c9bf6a78ebe..a85d8066148 100644
--- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml
+++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/eos_cli_config_gen.schema.yml
@@ -2291,6 +2291,31 @@ keys:
keys:
profile:
type: str
+ tcp_mss_ceiling:
+ type: dict
+ description: 'The TCP MSS clamping feature involves clamping the maximum
+ segment size (MSS) in the TCP header
+
+ of TCP SYN packets if it exceeds the configured MSS ceiling limit for
+ the interface.'
+ keys:
+ ipv4_segment_size:
+ type: int
+ convert_types:
+ - str
+ min: 64
+ max: 65475
+ ipv6_segment_size:
+ type: int
+ convert_types:
+ - str
+ min: 64
+ max: 65475
+ direction:
+ type: str
+ valid_values:
+ - egress
+ - ingress
channel_group:
type: dict
keys:
diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ethernet_interfaces.schema.yml b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ethernet_interfaces.schema.yml
index 67aa7b7b62f..d9198550746 100644
--- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ethernet_interfaces.schema.yml
+++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ethernet_interfaces.schema.yml
@@ -497,6 +497,29 @@ keys:
keys:
profile:
type: str
+ tcp_mss_ceiling:
+ type: dict
+ description: |-
+ The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header
+ of TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface.
+ keys:
+ ipv4_segment_size:
+ type: int
+ convert_types:
+ - str
+ min: 64
+ max: 65475
+ ipv6_segment_size:
+ type: int
+ convert_types:
+ - str
+ min: 64
+ max: 65475
+ direction:
+ type: str
+ valid_values:
+ - egress
+ - ingress
channel_group:
type: dict
keys:
diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ethernet-interfaces.j2 b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ethernet-interfaces.j2
index 0c4e69436e1..020dec87b0f 100644
--- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ethernet-interfaces.j2
+++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ethernet-interfaces.j2
@@ -165,6 +165,30 @@
{% endif %}
{% endfor %}
{% endif %}
+{# TCP MSS Clamping #}
+{% set tcp_mss_clampings = [] %}
+{% for ethernet_interface in ethernet_interfaces | arista.avd.natural_sort('name') %}
+{% if ethernet_interface.tcp_mss_ceiling is arista.avd.defined %}
+{% do tcp_mss_clampings.append(ethernet_interface) %}
+{% endif %}
+{% endfor %}
+{% if tcp_mss_clampings | length > 0 %}
+
+##### TCP MSS Clamping
+
+| Interface | Ipv4 Segment Size | Ipv6 Segment Size | Direction |
+| --------- | ----------------- | ----------------- | --------- |
+{% for tcp_mss_clamping in tcp_mss_clampings | arista.avd.natural_sort('name') %}
+{% set interface = tcp_mss_clamping.name %}
+{% if tcp_mss_clamping.tcp_mss_ceiling.ipv4_segment_size is arista.avd.defined %}
+{% set ipv4_segment_size = tcp_mss_clamping.tcp_mss_ceiling.ipv4_segment_size %}
+{% endif %}
+{% if tcp_mss_clamping.tcp_mss_ceiling.ipv6_segment_size is arista.avd.defined %}
+{% set ipv6_segment_size = tcp_mss_clamping.tcp_mss_ceiling.ipv6_segment_size %}
+{% endif %}
+| {{ interface }} | {{ ipv4_segment_size | arista.avd.default("-") }} | {{ ipv6_segment_size | arista.avd.default("-") }} | {{ tcp_mss_clamping.tcp_mss_ceiling.direction | arista.avd.default("-") }} |
+{% endfor %}
+{% endif %}
{# Transceiver Settings #}
{% set transceiver_settings = [] %}
{% for ethernet_interface in ethernet_interfaces | arista.avd.natural_sort('name') %}
diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ethernet-interfaces.j2 b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ethernet-interfaces.j2
index e813546cf04..2d563d36c6a 100644
--- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ethernet-interfaces.j2
+++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ethernet-interfaces.j2
@@ -438,6 +438,19 @@ interface {{ ethernet_interface.name }}
{% endif %}
{{ destination_cli }}
{% endfor %}
+{% if ethernet_interface.tcp_mss_ceiling.ipv4_segment_size is arista.avd.defined or ethernet_interface.tcp_mss_ceiling.ipv6_segment_size is arista.avd.defined %}
+{% set tcp_mss_ceiling_cli = "tcp mss ceiling" %}
+{% if ethernet_interface.tcp_mss_ceiling.ipv4_segment_size is arista.avd.defined %}
+{% set tcp_mss_ceiling_cli = tcp_mss_ceiling_cli ~ " ipv4 " ~ ethernet_interface.tcp_mss_ceiling.ipv4_segment_size %}
+{% endif %}
+{% if ethernet_interface.tcp_mss_ceiling.ipv6_segment_size is arista.avd.defined %}
+{% set tcp_mss_ceiling_cli = tcp_mss_ceiling_cli ~ " ipv6 " ~ ethernet_interface.tcp_mss_ceiling.ipv6_segment_size %}
+{% endif %}
+{% if ethernet_interface.tcp_mss_ceiling.direction is arista.avd.defined %}
+{% set tcp_mss_ceiling_cli = tcp_mss_ceiling_cli ~ " " ~ ethernet_interface.tcp_mss_ceiling.direction %}
+{% endif %}
+ {{ tcp_mss_ceiling_cli }}
+{% endif %}
{% if ethernet_interface.channel_group.id is arista.avd.defined and ethernet_interface.channel_group.mode is arista.avd.defined %}
channel-group {{ ethernet_interface.channel_group.id }} mode {{ ethernet_interface.channel_group.mode }}
{% if ethernet_interface.lacp_timer.mode is arista.avd.defined %}
diff --git a/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.jsonschema.json b/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.jsonschema.json
index b9bf0b9a76c..59bf71130fb 100644
--- a/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.jsonschema.json
+++ b/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.jsonschema.json
@@ -8682,6 +8682,37 @@
},
"title": "MAC Security"
},
+ "tcp_mss_ceiling": {
+ "type": "object",
+ "description": "The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header\nof TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface.",
+ "properties": {
+ "ipv4_segment_size": {
+ "type": "integer",
+ "minimum": 64,
+ "maximum": 65475,
+ "title": "IPv4 Segment Size"
+ },
+ "ipv6_segment_size": {
+ "type": "integer",
+ "minimum": 64,
+ "maximum": 65475,
+ "title": "IPv6 Segment Size"
+ },
+ "direction": {
+ "type": "string",
+ "enum": [
+ "egress",
+ "ingress"
+ ],
+ "title": "Direction"
+ }
+ },
+ "additionalProperties": false,
+ "patternProperties": {
+ "^_.+$": {}
+ },
+ "title": "TCP Mss Ceiling"
+ },
"channel_group": {
"type": "object",
"properties": {
@@ -14448,6 +14479,37 @@
},
"title": "MAC Security"
},
+ "tcp_mss_ceiling": {
+ "type": "object",
+ "description": "The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header\nof TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface.",
+ "properties": {
+ "ipv4_segment_size": {
+ "type": "integer",
+ "minimum": 64,
+ "maximum": 65475,
+ "title": "IPv4 Segment Size"
+ },
+ "ipv6_segment_size": {
+ "type": "integer",
+ "minimum": 64,
+ "maximum": 65475,
+ "title": "IPv6 Segment Size"
+ },
+ "direction": {
+ "type": "string",
+ "enum": [
+ "egress",
+ "ingress"
+ ],
+ "title": "Direction"
+ }
+ },
+ "additionalProperties": false,
+ "patternProperties": {
+ "^_.+$": {}
+ },
+ "title": "TCP Mss Ceiling"
+ },
"channel_group": {
"type": "object",
"properties": {
@@ -20778,6 +20840,37 @@
},
"title": "MAC Security"
},
+ "tcp_mss_ceiling": {
+ "type": "object",
+ "description": "The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header\nof TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface.",
+ "properties": {
+ "ipv4_segment_size": {
+ "type": "integer",
+ "minimum": 64,
+ "maximum": 65475,
+ "title": "IPv4 Segment Size"
+ },
+ "ipv6_segment_size": {
+ "type": "integer",
+ "minimum": 64,
+ "maximum": 65475,
+ "title": "IPv6 Segment Size"
+ },
+ "direction": {
+ "type": "string",
+ "enum": [
+ "egress",
+ "ingress"
+ ],
+ "title": "Direction"
+ }
+ },
+ "additionalProperties": false,
+ "patternProperties": {
+ "^_.+$": {}
+ },
+ "title": "TCP Mss Ceiling"
+ },
"channel_group": {
"type": "object",
"properties": {
@@ -51344,6 +51437,37 @@
},
"title": "MAC Security"
},
+ "tcp_mss_ceiling": {
+ "type": "object",
+ "description": "The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header\nof TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface.",
+ "properties": {
+ "ipv4_segment_size": {
+ "type": "integer",
+ "minimum": 64,
+ "maximum": 65475,
+ "title": "IPv4 Segment Size"
+ },
+ "ipv6_segment_size": {
+ "type": "integer",
+ "minimum": 64,
+ "maximum": 65475,
+ "title": "IPv6 Segment Size"
+ },
+ "direction": {
+ "type": "string",
+ "enum": [
+ "egress",
+ "ingress"
+ ],
+ "title": "Direction"
+ }
+ },
+ "additionalProperties": false,
+ "patternProperties": {
+ "^_.+$": {}
+ },
+ "title": "TCP Mss Ceiling"
+ },
"channel_group": {
"type": "object",
"properties": {