From de05fd236b6fcca9b864b95cbd5b39b4ae1b25e3 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Sat, 9 Nov 2024 19:56:31 +0100 Subject: [PATCH 1/2] access: enable DHCP snooping on D-Link switches Use the ifaces_dhcp custom context property to select interfaces where we should expect DHCP replies. --- roles/access/tasks/main.yml | 2 +- roles/access/templates/config-d-link.j2 | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/roles/access/tasks/main.yml b/roles/access/tasks/main.yml index a48f03e..785a8a2 100644 --- a/roles/access/tasks/main.yml +++ b/roles/access/tasks/main.yml @@ -19,7 +19,7 @@ ansible_terminal_stderr_re: [] # some errors are not actually errors register: result # These lines are not displayed by 'sho ru' and always reported as different, so ignore them. - changed_when: result.commands | reject('match', '^(no shutdown|no switchport access vlan|no voice vlan.*|switchport mode access|switchport mode hybrid|interface .*|no enable service web-server https?)$') + changed_when: result.commands | reject('match', '^(no shutdown|no switchport access vlan|no voice vlan.*|switchport mode access|switchport mode hybrid|interface .*|no enable service web-server https?|no ip dhcp snooping|no ip dhcp snooping trust)$') notify: write config - name: Run model-specific tasks diff --git a/roles/access/templates/config-d-link.j2 b/roles/access/templates/config-d-link.j2 index ab2a982..9942cf6 100644 --- a/roles/access/templates/config-d-link.j2 +++ b/roles/access/templates/config-d-link.j2 @@ -51,6 +51,12 @@ interface {{ iface.name }} {% set mgmt.gw = iface.custom_fields.gateway.address %} {% endif %} {% endif %} + +{% if iface.name in ifaces_dhcp | default([]) %} + ip dhcp snooping trust +{% else %} + no ip dhcp snooping trust +{% endif %} {% endfor %} {%- if mgmt.ip %} @@ -83,6 +89,12 @@ sntp server {{ address }} ntp access-group default nomodify noquery +{% if ifaces_dhcp | default(false) %} +ip dhcp snooping +{% else %} +no ip dhcp snooping +{% endif %} + {% if mgmt.gw %} ip route 0.0.0.0 0.0.0.0 {{ mgmt.gw | ipaddr('address') }} primary {% endif %} From 1d97ec2cdaf8d4fc4fce7049a952f10af49d5710 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Sat, 9 Nov 2024 19:59:11 +0100 Subject: [PATCH 2/2] exit: remove --giaddr-src option for DHCP relay Seems to work OK without it. --- roles/exit/templates/isc-dhcp-relay.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/exit/templates/isc-dhcp-relay.j2 b/roles/exit/templates/isc-dhcp-relay.j2 index ae42667..fb15a3e 100644 --- a/roles/exit/templates/isc-dhcp-relay.j2 +++ b/roles/exit/templates/isc-dhcp-relay.j2 @@ -5,8 +5,7 @@ SERVERS="{{ my_server | ipaddr('address') }}" {% if my_prefix.vrf.name == 'outside' %} INTF_CMD="{{ my_vlans | map('regex_replace', '^', '-id bridge.') | join(' ') }} -iu {{ iface_uplink }} -iu peerlink.4 -U {{ my_prefix.vrf.name }}" -OPTIONS="" {% else %} INTF_CMD="{{ my_vlans | map('regex_replace', '^', '-id bridge.') | join(' ') }} -U bridge.{{ my_prefix.vlan.vid }}" -OPTIONS="--giaddr-src" {% endif %} +OPTIONS=""