{{ header }}
hostname "{{ hostname }}"
console idle-timeout 1800
console idle-timeout serial-usb 1800
no cdp run
{%- if dhcp_snooping_vlans %}
dhcp-snooping
{%- for s in dhcp_servers %}
dhcp-snooping authorized-server {{ s }}
{%- endfor %}
dhcp-snooping vlan {{ dhcp_snooping_vlans }}
{%- endif %}
{%- if dhcpv6_snooping_vlans %}
dhcpv6-snooping
dhcpv6-snooping vlan {{ dhcpv6_snooping_vlans }}
{%- endif %}
{%- for m in multicast_filter %}
filter multicast {{ m.mac_addr }} drop {{ m.ports }}
{%- endfor %}
{%- for l in logging %}
logging {{ l }}
{%- endfor %}
{%- if radius_servers %}
{%- for r in radius_servers %}
radius-server host {{ r.ip }} dyn-authorization
radius-server host {{ r.ip }} key {{ r.secret }}
{%- endfor %}
radius-server dead-time 2
{%- endif %}
timesync sntp
sntp unicast
{%- for s in sntp %}
sntp server priority {{ loop.index }} {{ s }}
{%- endfor %}
no telnet-server
time daylight-time-rule western-europe
time timezone 60
{%- for i4 in ipv4_managers.values() %}
ip authorized-managers {{ i4.ip }} {{ i4.subnet }} access manager
{%- endfor %}
{%- for d in dns %}
ip dns server-address priority {{ loop.index }} {{ d }}
{%- endfor %}
ip ssh filetransfer
{%- for i6 in ipv6_managers.values() %}
ipv6 authorized-managers {{ i6.ip }} {{ i6.subnet }} access manager
{%- endfor %}
{%- if ra_guard_ports %}
ipv6 ra-guard ports {{ ra_guard_ports }}
{%- endif %}
{%- for iface in interfaces %}
interface {{ iface.number }}
   name "{{ iface.name }}"
{%- if iface.dhcp_trust %}
   dhcp-snooping trust
{%- endif %}
{%- if iface.dhcpv6_trust %}
   dhcpv6-snooping trust
{%- endif %}
{%- if iface.flowcontrol %}
   flow-control
{% endif %}
{%- if iface.arp_trust %}
   arp-protect trust
{%- endif %}
   exit
{%- endfor %}
snmp-server community "public" operator
snmp-server location "{{ location }}"
snmpv3 enable
snmpv3 restricted-access
snmpv3 group managerpriv user "{{ snmp_user }}" sec-model ver3
snmpv3 user "{{ snmp_user }}"
aaa accounting update periodic 240
aaa accounting network start-stop radius
aaa authentication ssh login public-key
aaa authentication ssh enable public-key
{%- if mac_based_ports %}
aaa port-access mac-based {{ mac_based_ports }}
{%- for iface in interfaces %}
{%- if iface.mac_based %}
aaa port-access mac-based {{ iface.number }} addr-limit {{ iface.addr_limit }}
aaa port-access mac-based {{ iface.number }} logoff-period {{ iface.logoff }}
{%- endif %}
{%- endfor %}
aaa port-access mac-based addr-format multi-colon
aaa port-access mac-based unauth-redirect "{{ unauth_redirect }}"
{%- endif %}
{%- for number, vlan in vlans.items() %}
vlan {{ number }}
   name "{{ vlan.name }}"
   {%- if vlan.untagged %}
   untagged {{ vlan.untagged }}
   {%- endif %}
   {%- if vlan.tagged %}
   tagged {{ vlan.tagged }}
   {%- endif %}
   {%- if vlan.ip %}
   ip address {{ vlan.ip.addr }} {{ vlan.ip.subnet }}
   {%- if vlan.ip.addr6 %}
   ipv6 address {{ vlan.ip.addr6 }}/{{ vlan.ip.subnet6 }}
   {%- endif %}
   {%- else %}
   no ip address
   {%- endif %}
   {%- if vlan.igmp %}
   ip igmp
   {%- endif %}
   {%- if vlan.ipv6_mld %}
   ipv6 mld enable
   {%- endif %}
   exit
{%- endfor %}
allow-unsupported-transceiver
{%- if loop_protect %}
loop-protect {{ loop_protect.ports }}
loop-protect transmit-interval 3 disable-timer 30
{%- endif %}
{%- if arp_protect %}
arp-protect
arp-protect validate src-mac dest-mac
arp-protect vlan {{ arp_protect.vlans }}
{%- endif %}
device-profile name "default-ap-profile"
   cos 0
   exit
activate software-update disable
activate provision disable
password manager
password operator