rc/network
2
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

access: enable port-security

Browse source 
Should prevent one way of network coming down. Again.
This commit is contained in:
Timotej Lazar 2025-03-17 15:41:48 +01:00
parent fe30b550de
commit 07fa350ae6
1 changed files with 16 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
roles/access/templates/config-d-link.j2
View file

@ -10,6 +10,7 @@ ip ssh server
vlan {{ vlans | map(attribute='vid') | compact_numlist }} vlan {{ vlans | map(attribute='vid') | compact_numlist }}
{# bond members #}
{% for iface in interfaces | selectattr('lag') %} {% for iface in interfaces | selectattr('lag') %}
interface {{ iface.name }} interface {{ iface.name }}
{% if iface.enabled %} no{% endif %} shutdown {% if iface.enabled %} no{% endif %} shutdown
@ -17,13 +18,21 @@ interface {{ iface.name }}
{% endfor %} {% endfor %}
{# access interfaces #}
{%- set mgmt = namespace(ip=false, gw=false) %} {%- set mgmt = namespace(ip=false, gw=false) %}
{%- for iface in interfaces | rejectattr('lag') %} {%- for iface in interfaces | rejectattr('lag') %}
interface {{ iface.name }} interface {{ iface.name }}
{% if iface.type.value != 'lag' %} {# common setup for user-facing interfaces #}
{% if iface.type.value != 'lag' and not iface.mgmt_only %}
switchport port-security
switchport port-security maximum 250
switchport port-security violation shutdown
switchport port-security aging time 5
switchport port-security aging type inactivity
{% if iface.enabled %} no shutdown{% else %} shutdown{% endif %} {% if iface.enabled %} no shutdown{% else %} shutdown{% endif %}
{% endif %} {% endif %}
{# set VLAN for untagged ports #}
{%+ if iface.mode and iface.mode.value == 'access' %} {%+ if iface.mode and iface.mode.value == 'access' %}
switchport mode access switchport mode access
{% if iface.untagged_vlan and iface.untagged_vlan.vid != 1 %} {% if iface.untagged_vlan and iface.untagged_vlan.vid != 1 %}
@ -37,6 +46,9 @@ interface {{ iface.name }}
no voice vlan enable no voice vlan enable
{% endif %} {% endif %}
{# set tagged and native VLANs for tagged ports #}
{# if native (untagged) VLAN is set, add it to the list of tagged VLANs #}
{# without this, the switch won’t forward traffic #}
{%+ elif iface.mode and iface.mode.value == 'tagged' %} {%+ elif iface.mode and iface.mode.value == 'tagged' %}
switchport mode trunk switchport mode trunk
{% if iface.untagged_vlan %} {% if iface.untagged_vlan %}
@ -48,10 +60,12 @@ interface {{ iface.name }}
{% endif %} {% endif %}
switchport trunk allowed vlan {{ iface_vlans | map(attribute='vid') | compact_numlist }} switchport trunk allowed vlan {{ iface_vlans | map(attribute='vid') | compact_numlist }}
{# we don’t support any other mode #}
{%+ else %} {%+ else %}
{% endif %} {% endif %}
{# store management address and gateway for later #}
{%- if iface.mgmt_only and iface.ip_addresses %} {%- if iface.mgmt_only and iface.ip_addresses %}
{% set mgmt.ip = iface.ip_addresses[0].address %} {% set mgmt.ip = iface.ip_addresses[0].address %}
{% if iface.custom_fields.gateway %} {% if iface.custom_fields.gateway %}
@ -66,6 +80,7 @@ interface {{ iface.name }}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{# management VLAN #}
{%- if mgmt.ip %} {%- if mgmt.ip %}
interface Vlan1 interface Vlan1
ip address {{ mgmt.ip | ipaddr('address') }} {{ mgmt.ip | ipaddr('netmask') }} ip address {{ mgmt.ip | ipaddr('address') }} {{ mgmt.ip | ipaddr('netmask') }}