forked from dd-ix/ddix-ansible-ixp
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDCS-MACROS.j2
167 lines (152 loc) · 6.1 KB
/
DCS-MACROS.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
{% macro iface_config(iftype, ifnum, settings) -%}
{% set iface = "%s%d"|format(iftype, ifnum) %}
{% if iftype == 'Ethernet' and settings.profile == 'peer' %}
{{ iface_cfg_ethernet_peer(iface, ifnum) }}
{% elif iftype == 'Ethernet' and settings.profile == 'underlay' %}
{{ iface_cfg_ethernet_underlay(iface, settings.options) }}
{% elif iftype == 'Ethernet' and settings.profile == 'unused' %}
{{ iface_cfg_ethernet_unused(iface, settings.options) }}
{% elif iftype == 'Loopback' and settings.profile == 'underlay' %}
{{ iface_cfg_loopback_underlay(iface, settings.options) }}
{% elif iftype == 'Loopback' and settings.profile == 'management' %}
{{ iface_cfg_loopback_management(iface, settings.options) }}
{% else %}
{{ undef(hint='ASSERTION: unhandled iface profile %s for %s'|format(settings.profile, iface)) }}
{% endif %}
{%- endmacro -%}
{% macro iface_cfg_ethernet_peer_free() %}
description FREE UNASSIGNED
shutdown
mac access-group block in
storm-control broadcast level 0.01
storm-control multicast level 0.01
storm-control unknown-unicast level 0.01
no lldp transmit
no lldp receive
{%- endmacro -%}
{% macro iface_cfg_ethernet_peer_peering(ifnum, status, peer) %}
description {{ status.label }} AS{{ peer.asn }} {{ peer.slug }}
switchport access vlan 600
mac access-group peer-eth{{ ifnum }} in
no lldp transmit
no lldp receive
sflow enable
storm-control broadcast level 0.01
storm-control multicast level 0.01
storm-control unknown-unicast level 0.01
{%- endmacro -%}
{% macro iface_cfg_ethernet_peer_quarantine(ifnum, status, peer) %}
description {{ status.label }} AS{{ peer.asn }} {{ peer.slug }}
switchport access vlan 666
mac access-group peer-eth{{ ifnum }} in
no lldp transmit
no lldp receive
storm-control broadcast level 0.01
storm-control multicast level 0.01
storm-control unknown-unicast level 0.01
{%- endmacro -%}
{% macro iface_cfg_ethernet_peer_shutdown(ifnum, status, peer) %}
description {{ status.label }} AS{{ peer.asn }} {{ peer.slug }}
shutdown
switchport access vlan 666
mac access-group peer-eth{{ ifnum }} in
no lldp transmit
no lldp receive
storm-control broadcast level 0.01
storm-control multicast level 0.01
storm-control unknown-unicast level 0.01
{%- endmacro -%}
{% macro iface_cfg_ethernet_peer(iface, ifnum) -%}
{% set peers = ixp_manager_peers|selectattr('switchport', 'equalto', iface)|selectattr('switchname', 'equalto', switch_vars.inventory_hostname_short) %}
interface {{ iface }}
{% set len = peers|count %}
{% if len == 0 %}
{{ iface_cfg_ethernet_peer_free() }}
{% elif len == 1 %}
{% set peer = peers|first %}
{% set status = ixp_manager_portstatus[peer.status] %}
{% if status.profile == "peering" %}
{{ iface_cfg_ethernet_peer_peering(ifnum, status, peer) }}
{% elif status.profile == "shutdown" %}
{{ iface_cfg_ethernet_peer_shutdown(ifnum, status, peer) }}
{% elif status.profile == "quarantine" %}
{{ iface_cfg_ethernet_peer_quarantine(ifnum, status, peer) }}
{% else %}
{{ undef(hint='ASSERTION: unhandled portstatus profile %s'|format(status.profile)) }}
{% endif %}
{% else %}
{{ undef(hint='ASSERTION: found more than a single peer for iface %s'|format(iface)) }}
{% endif %}
{%- endmacro -%}
{% macro iface_cfg_ethernet_underlay(iface, opts) -%}
interface {{ iface }}
description {{ opts.description }}
mtu 9214
no switchport
ip address {{ opts.ipv4 }}
ipv6 address {{ opts.ipv6 }}
ipv6 address {{ opts.lladdr }} link-local
ipv6 nd ra disabled
isis enable backbone
{%- endmacro -%}
{% macro iface_cfg_ethernet_unused(iface, opts) -%}
interface {{ iface }}
description UNUSED
shutdown
{%- endmacro -%}
{% macro iface_cfg_loopback_underlay(iface, opts) -%}
interface {{ iface }}
description {{ opts.description }}
ip address {{ opts.ipv4 }}
ipv6 address {{ opts.ipv6 }}
isis enable backbone
isis passive
{%- endmacro -%}
{% macro iface_cfg_loopback_management(iface, opts) -%}
interface {{ iface }}
description {{ opts.description }}
vrf inband-mgmt
ipv6 address {{ opts.ipv6 }}
{%- endmacro -%}
{% macro mac_acl_peer(ifnum) -%}
{% set iface = "Ethernet%d"|format(ifnum) %}
{% set peers = ixp_manager_peers|selectattr('switchport', 'equalto', iface)|selectattr('switchname', 'equalto', switch_vars.inventory_hostname_short) %}
{% set len = peers|count %}
{% if len == 1 %}
{% set peer = peers|first %}
{% if peer.l2address %}
mac access-list peer-eth{{ ifnum }}
10 remark AS{{ peer.asn }} allow arp broadcast
11 permit vlan 600 0x000 {{ peer.l2address|ansible.utils.hwaddr('linux') }} 00:00:00:00:00:00 ff:ff:ff:ff:ff:ff 00:00:00:00:00:00 arp
20 remark AS{{ peer.asn }} allow nd multicast
21 permit vlan 600 0x000 {{ peer.l2address|ansible.utils.hwaddr('linux') }} 00:00:00:00:00:00 33:33:ff:00:00:00 00:00:00:ff:ff:ff ipv6
{% else %}
10 remark AS{{ peer.asn }} peer has no l2address
20 remark AS{{ peer.asn }} peer has no l2address
{% endif %}
30 remark AS{{ peer.asn }} drop other broadcasts or multicasts
31 deny vlan 600 0x000 any 01:00:00:00:00:00 fe:ff:ff:ff:ff:ff log
{% if peer.l2address %}
40 remark AS{{ peer.asn }} allow peering lan access
41 permit vlan 600 0x000 {{ peer.l2address|ansible.utils.hwaddr('linux') }} 00:00:00:00:00:00 any arp
42 permit vlan 600 0x000 {{ peer.l2address|ansible.utils.hwaddr('linux') }} 00:00:00:00:00:00 any ip
43 permit vlan 600 0x000 {{ peer.l2address|ansible.utils.hwaddr('linux') }} 00:00:00:00:00:00 any ipv6
{% else %}
40 remark AS{{ peer.asn }} peer has no l2address
{% endif %}
50 remark AS{{ peer.asn }} allow quarantine vlan
51 permit vlan 666 0x000 any any
100 remark AS{{ peer.asn }} drop any
101 deny any any log
!
{% elif len != 0 %}
{{ undef(hint='ASSERTION: found more than a single peer for iface %s'|format(iface)) }}
{% endif %}
{%- endmacro -%}
{% macro mac_address_table() -%}
{% for peer in ixp_manager_peers|selectattr('switchname', 'equalto', switch_vars.inventory_hostname_short)|sort(attribute='l2address') %}
{% if peer.l2address %}
mac address-table static {{ peer.l2address|ansible.utils.hwaddr('cisco') }} vlan 600 interface {{ peer.switchport }}
{% endif %}
{% endfor %}
{%- endmacro -%}