From 07fa350ae66f3b2bba5d0522c312f4f8dfdc1e3d Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Mon, 17 Mar 2025 15:41:48 +0100
Subject: [PATCH] access: enable port-security

Should prevent one way of network coming down. Again.
---
 roles/access/templates/config-d-link.j2 | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/roles/access/templates/config-d-link.j2 b/roles/access/templates/config-d-link.j2
index 283e4ec..3250be7 100644
--- a/roles/access/templates/config-d-link.j2
+++ b/roles/access/templates/config-d-link.j2
@@ -10,6 +10,7 @@ ip ssh server
 
 vlan {{ vlans | map(attribute='vid') | compact_numlist }}
 
+{# bond members #}
 {% for iface in interfaces | selectattr('lag') %}
 interface {{ iface.name }}
 {% if iface.enabled %} no{% endif %} shutdown
@@ -17,13 +18,21 @@ interface {{ iface.name }}
 
 {% endfor %}
 
+{# access interfaces #}
 {%- set mgmt = namespace(ip=false, gw=false) %}
 {%- for iface in interfaces | rejectattr('lag') %}
 interface {{ iface.name }}
-{% if iface.type.value != 'lag' %}
+{# common setup for user-facing interfaces #}
+{% if iface.type.value != 'lag' and not iface.mgmt_only %}
+ switchport port-security
+ switchport port-security maximum 250
+ switchport port-security violation shutdown
+ switchport port-security aging time 5
+ switchport port-security aging type inactivity
 {% if iface.enabled %} no shutdown{% else %} shutdown{% endif %}
 {% endif %}
 
+{# set VLAN for untagged ports #}
 {%+ if iface.mode and iface.mode.value == 'access' %}
  switchport mode access
 {% if iface.untagged_vlan and iface.untagged_vlan.vid != 1 %}
@@ -37,6 +46,9 @@ interface {{ iface.name }}
  no voice vlan enable
 {% endif %}
 
+{# set tagged and native VLANs for tagged ports #}
+{# if native (untagged) VLAN is set, add it to the list of tagged VLANs #}
+{# without this, the switch won’t forward traffic #}
 {%+ elif iface.mode and iface.mode.value == 'tagged' %}
  switchport mode trunk
 {% if iface.untagged_vlan %}
@@ -48,10 +60,12 @@ interface {{ iface.name }}
 {% endif %}
  switchport trunk allowed vlan {{ iface_vlans | map(attribute='vid') | compact_numlist }}
 
+{# we don’t support any other mode #}
 {%+ else %}
 
 {% endif %}
 
+{# store management address and gateway for later #}
 {%- if iface.mgmt_only and iface.ip_addresses %}
 {% set mgmt.ip = iface.ip_addresses[0].address %}
 {% if iface.custom_fields.gateway %}
@@ -66,6 +80,7 @@ interface {{ iface.name }}
 {% endif %}
 {% endfor %}
 
+{# management VLAN #}
 {%- if mgmt.ip %}
 interface Vlan1
  ip address {{ mgmt.ip | ipaddr('address') }} {{ mgmt.ip | ipaddr('netmask') }}