Timotej Lazar
7a2223ea71
Define a custom SNMP group with read access only to fields we need. For D-Link switches, modifying the group must be handled the same as user, i.e. the group (and user) must be removed and readded. Untested for FS S5800.
148 lines
4.3 KiB
Django/Jinja
148 lines
4.3 KiB
Django/Jinja
{% set mgmt_iface = interfaces | selectattr('mgmt_only') | first -%}
|
|
|
|
terminal length default 0
|
|
no ip http server
|
|
line console
|
|
line telnet
|
|
line ssh
|
|
|
|
port-channel load-balance src-dst-ip
|
|
|
|
ip ssh server
|
|
|
|
{% for vlan in add_vlans %}
|
|
vlan {{ vlan }}
|
|
{% endfor %}
|
|
{% for vlan in del_vlans %}
|
|
no vlan {{ vlan }}
|
|
{% endfor %}
|
|
|
|
{# bond members #}
|
|
{% for iface in interfaces | selectattr('lag') %}
|
|
interface {{ iface.name }}
|
|
{% if iface.enabled %} no{% endif %} shutdown
|
|
channel-group {{ iface.lag.name | select('in', '0123456789') | join('') }} mode active
|
|
|
|
{% endfor %}
|
|
|
|
{# access interfaces #}
|
|
{%- for iface in interfaces | rejectattr('lag') %}
|
|
interface {{ iface.name }}
|
|
{# common setup for user-facing interfaces #}
|
|
{% if iface.type.value != 'lag' and not iface.mgmt_only %}
|
|
{% if iface.mode and iface.mode.value == 'access' %}
|
|
switchport port-security
|
|
switchport port-security maximum 64
|
|
switchport port-security violation shutdown
|
|
switchport port-security aging time 5
|
|
switchport port-security aging type inactivity
|
|
{% else %}
|
|
no switchport port-security
|
|
no switchport port-security maximum
|
|
no switchport port-security violation
|
|
no switchport port-security aging time
|
|
no switchport port-security aging type
|
|
{% endif %}
|
|
{% if iface.enabled %} no shutdown{% else %} shutdown{% endif %}
|
|
{% endif %}
|
|
|
|
{# set VLAN for untagged ports #}
|
|
{%+ if iface.mode and iface.mode.value == 'access' %}
|
|
switchport mode access
|
|
{% if iface.untagged_vlan and iface.untagged_vlan.vid != 1 %}
|
|
switchport access vlan {{ iface.untagged_vlan.vid }}
|
|
{% else %}
|
|
no switchport access vlan
|
|
{% endif %}
|
|
{% if voice_vlan is defined and not iface.mgmt_only %}
|
|
voice vlan enable
|
|
{% else %}
|
|
no voice vlan enable
|
|
{% endif %}
|
|
|
|
{# set tagged and native VLANs for tagged ports #}
|
|
{# if native (untagged) VLAN is set, add it to the list of tagged VLANs #}
|
|
{# without this, the switch won’t forward traffic #}
|
|
{%+ elif iface.mode and iface.mode.value == 'tagged' %}
|
|
switchport mode trunk
|
|
{% if iface.untagged_vlan %}
|
|
{% set iface_vlans = (iface.tagged_vlans or vlans) + [iface.untagged_vlan] %}
|
|
switchport trunk native vlan {{ iface.untagged_vlan.vid }}
|
|
{% else %}
|
|
{% set iface_vlans = (iface.tagged_vlans or vlans) %}
|
|
no switchport trunk native vlan
|
|
{% endif %}
|
|
switchport trunk allowed vlan {{ iface_vlans | map(attribute='vid') | compact_numlist }}
|
|
|
|
{# we don’t support any other mode #}
|
|
{%+ else %}
|
|
|
|
{% endif %}
|
|
|
|
{% if iface.name in ifaces_dhcp | default([]) %}
|
|
ip dhcp snooping trust
|
|
{% else %}
|
|
no ip dhcp snooping trust
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
{# management VLAN #}
|
|
interface Vlan1
|
|
{% for address in mgmt_iface.ip_addresses %}
|
|
{% if address.family.value == 4 %}
|
|
ip address {{ address.address | ipaddr('address') }} {{ address.address | ipaddr('netmask') }}
|
|
{% else %}
|
|
ipv6 address {{ address.address | upper }}
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
voice vlan mac-address 2C-3E-CF-00-00-00 FF-FF-FF-00-00-00 description Cisco
|
|
voice vlan mac-address 3C-0E-23-00-00-00 FF-FF-FF-00-00-00 description Cisco
|
|
voice vlan mac-address B8-38-61-00-00-00 FF-FF-FF-00-00-00 description Cisco
|
|
voice vlan mac-address C4-14-3C-00-00-00 FF-FF-FF-00-00-00 description Cisco
|
|
|
|
{% if voice_vlan is defined %}
|
|
voice vlan {{ voice_vlan }}
|
|
{% else %}
|
|
no voice vlan
|
|
{% endif %}
|
|
|
|
snmp-server
|
|
snmp-server name {{ inventory_hostname }}
|
|
snmp-server location {{ rack }}
|
|
{# SNMP engine ID must be exactly 24 hex digits #}
|
|
snmp-server engineID local {{ snmp_engine_id }}
|
|
{# limit MIBs exposed over SNMP #}
|
|
snmp-server view public 1.3.6.1.2.1.1 included {# system +#}
|
|
snmp-server view public 1.3.6.1.2.1.2 included {# interfaces +#}
|
|
snmp-server view public 1.3.6.1.2.1.17.7 included {# qBridgeMIB +#}
|
|
snmp-server view public 1.3.6.1.2.1.31 included {# ifMIB +#}
|
|
|
|
sntp enable
|
|
{% for address in ntp %}
|
|
sntp server {{ address }}
|
|
{% endfor %}
|
|
|
|
ntp access-group default nomodify noquery
|
|
|
|
{% if ifaces_dhcp | default(false) %}
|
|
ip dhcp snooping
|
|
{% else %}
|
|
no ip dhcp snooping
|
|
{% endif %}
|
|
|
|
{% for address in mgmt_iface.ip_addresses %}
|
|
{% set subnet = address.address | ipaddr('subnet') %}
|
|
{% set prefix = prefixes | selectattr('prefix', '==', subnet) | first %}
|
|
{% if prefix.custom_fields.gateway %}
|
|
{% set gateway = prefix.custom_fields.gateway %}
|
|
{% if gateway.family.value == 4 %}
|
|
ip route 0.0.0.0 0.0.0.0 {{ gateway.address | ipaddr('address') }} primary
|
|
{% else %}
|
|
ipv6 route default vlan1 {{ gateway.address | ipaddr('address') | upper }} primary
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
|
|
no ddp
|