diff --git a/roles/access/tasks/main.yml b/roles/access/tasks/main.yml
index 0cd612b..7739bdb 100644
--- a/roles/access/tasks/main.yml
+++ b/roles/access/tasks/main.yml
@@ -15,7 +15,7 @@
   ansible.netcommon.cli_config:
     config: '{{ lookup("template", "config-"~manufacturer~"-"~device_type~".j2") }}'
   vars:
-    ansible_command_timeout: 60
+    ansible_command_timeout: 240
     ansible_terminal_stderr_re: [] # some errors are not actually errors
   register: result
   # These lines are not displayed by 'sho ru' and always reported as different, so ignore them.
diff --git a/roles/access/templates/config-d-link.j2 b/roles/access/templates/config-d-link.j2
index 283e4ec..3250be7 100644
--- a/roles/access/templates/config-d-link.j2
+++ b/roles/access/templates/config-d-link.j2
@@ -10,6 +10,7 @@ ip ssh server
 
 vlan {{ vlans | map(attribute='vid') | compact_numlist }}
 
+{# bond members #}
 {% for iface in interfaces | selectattr('lag') %}
 interface {{ iface.name }}
 {% if iface.enabled %} no{% endif %} shutdown
@@ -17,13 +18,21 @@ interface {{ iface.name }}
 
 {% endfor %}
 
+{# access interfaces #}
 {%- set mgmt = namespace(ip=false, gw=false) %}
 {%- for iface in interfaces | rejectattr('lag') %}
 interface {{ iface.name }}
-{% if iface.type.value != 'lag' %}
+{# common setup for user-facing interfaces #}
+{% if iface.type.value != 'lag' and not iface.mgmt_only %}
+ switchport port-security
+ switchport port-security maximum 250
+ switchport port-security violation shutdown
+ switchport port-security aging time 5
+ switchport port-security aging type inactivity
 {% if iface.enabled %} no shutdown{% else %} shutdown{% endif %}
 {% endif %}
 
+{# set VLAN for untagged ports #}
 {%+ if iface.mode and iface.mode.value == 'access' %}
  switchport mode access
 {% if iface.untagged_vlan and iface.untagged_vlan.vid != 1 %}
@@ -37,6 +46,9 @@ interface {{ iface.name }}
  no voice vlan enable
 {% endif %}
 
+{# set tagged and native VLANs for tagged ports #}
+{# if native (untagged) VLAN is set, add it to the list of tagged VLANs #}
+{# without this, the switch won’t forward traffic #}
 {%+ elif iface.mode and iface.mode.value == 'tagged' %}
  switchport mode trunk
 {% if iface.untagged_vlan %}
@@ -48,10 +60,12 @@ interface {{ iface.name }}
 {% endif %}
  switchport trunk allowed vlan {{ iface_vlans | map(attribute='vid') | compact_numlist }}
 
+{# we don’t support any other mode #}
 {%+ else %}
 
 {% endif %}
 
+{# store management address and gateway for later #}
 {%- if iface.mgmt_only and iface.ip_addresses %}
 {% set mgmt.ip = iface.ip_addresses[0].address %}
 {% if iface.custom_fields.gateway %}
@@ -66,6 +80,7 @@ interface {{ iface.name }}
 {% endif %}
 {% endfor %}
 
+{# management VLAN #}
 {%- if mgmt.ip %}
 interface Vlan1
  ip address {{ mgmt.ip | ipaddr('address') }} {{ mgmt.ip | ipaddr('netmask') }}
diff --git a/roles/exit/tasks/keepalived.yml b/roles/exit/tasks/keepalived.yml
index a9edf50..8c554eb 100644
--- a/roles/exit/tasks/keepalived.yml
+++ b/roles/exit/tasks/keepalived.yml
@@ -3,13 +3,13 @@
   block:
   - name: Install deps for keepalived
     package:
-      name: autoconf,automake,build-essential,pkg-config,libxtables-dev,libip4tc-dev,libip6tc-dev,libipset-dev,libnl-3-dev,libnl-genl-3-dev,libssl-dev
+      name: autoconf,automake,build-essential,pkg-config,libxtables-dev,libip4tc-dev,libip6tc-dev,libnl-3-dev,libnl-genl-3-dev,libssl-dev
 
   - name: Checkout keepalived source
     git:
       repo: https://github.com/acassen/keepalived
       dest: /usr/local/src/keepalived
-      version: v2.2.7
+      version: v2.3.2
 
   - name: Build and install keepalived
     shell: |
diff --git a/roles/exit/tasks/radvd.yml b/roles/exit/tasks/radvd.yml
index 0642042..000fb0c 100644
--- a/roles/exit/tasks/radvd.yml
+++ b/roles/exit/tasks/radvd.yml
@@ -5,6 +5,7 @@
   - name: Install deps for radvd
     package:
       name: autoconf,automake,bison,build-essential,flex,gettext,libtool,pkg-config,libbsd-dev,libbsd0
+      update_cache: true
 
   - name: Checkout radvd source
     git: