/* -=-=-=-=-=-=-=-=-=-=-=-=-=- INTERFACES -=-=-=-=-=-=-=-=-=-=-=-=-=- */
{% macro interface_ip_ospf(iface_name) %}
{% if salt['pillar.get']('interfaces:'+iface_name+':ip:ospf') %}
ospf {
{% if salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:cost',None) != None %}cost {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:cost') }}{% endif %}
{% if salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:passive') %}
{% else %}
network {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:network') }}
dead-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:dead-interval',40) }}
hello-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:hello-interval',10) }}
priority {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:priority',1) }}
retransmit-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:retransmit-interval',5) }}
transmit-delay {{ salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:transmit-delay',1) }}
{% endif %}
}
{% endif %}
{% endmacro %}
{% macro interface_ipv6_ospfv3(iface_name) %}
{% if salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3') %}
ospfv3 {
{% if salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:cost',None) != None %}cost {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:cost') }}{% endif %}
instance-id {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:instance-id',0) }}
{% if salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:passive') %}
passive
{% else %}
dead-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:dead-interval',40) }}
hello-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:hello-interval',10) }}
priority {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:priority',1) }}
retransmit-interval {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:retransmit-interval',5) }}
transmit-delay {{ salt['pillar.get']('interfaces:'+iface_name+':ipv6:ospfv3:transmit-delay',1) }}
{% endif %}
}
{% endif %}
{% endmacro %}
interfaces {
{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if iface_data['mgmt_only'] %}
{% elif iface_name == 'lo' %}
loopback lo {
description "{{ iface_data['description'].replace('"','\\"') or "-" }}{% if iface_data['connected_endpoint'] and iface_data['connected_endpoint']['connection_status']['value'] %} ({% if iface_data['connected_endpoint']['device'] %}{{ iface_data['connected_endpoint']['name'] }} @ {{ iface_data['connected_endpoint']['device']['display_name'] }}{% endif %}){% endif %}"
{% for address in iface_data['addresses'] %}
address {{ address['address'] }}
{% endfor %}
{% if salt['pillar.get']('interfaces:'+iface_name+':ip') %}
ip {
{{ interface_ip_ospf(iface_name) }}
}
{% endif %}
{% if salt['pillar.get']('interfaces:'+iface_name+':ipv6') %}
ipv6 {
{{ interface_ipv6_ospfv3(iface_name) }}
}
{% endif %}
}
{% elif iface_data['form_factor']['label'] != 'Virtual' %}
ethernet {{ iface_name }} {
description "{{ iface_data['description'].replace('"','\\"') or "-" }}{% if iface_data['connected_endpoint'] and iface_data['connected_endpoint']['connection_status']['value'] %} ({% if iface_data['connected_endpoint']['device'] %}{{ iface_data['connected_endpoint']['name'] }} @ {{ iface_data['connected_endpoint']['device']['display_name'] }}{% endif %}){% endif %}"
{% for address in iface_data['addresses'] %}
address {{ address['address'] }}
{% endfor %}
{% if iface_data['mac_address'] %}hw-id {{ iface_data['mac_address'].lower() }}{% endif %}
duplex auto
policy {
}
smp-affinity auto
speed auto
{% if not iface_data['enabled'] %}disable{% endif %}
{% if iface_data['lag'] %}bond-group {{ iface_data['lag']['name'] }}{% endif %}
{% for tagged_vlan in iface_data['tagged_vlans'] %}
{% set subiface_data = salt['pillar.get']('netbox:interfaces:%s.%04d'%(iface_name,tagged_vlan['vid']),{'description':'','addresses':[],'enabled':False}) %}
vif {{ tagged_vlan['vid'] }} {
description "{{ tagged_vlan['name'].replace('"','\\"') or "-" }} => {{ subiface_data['description'].replace('"','\\"') or "-" }}"
{% for address in subiface_data['addresses'] %}
address {{ address['address'] }}
{% endfor %}
{% if not subiface_data['enabled'] %}disable{% endif %}
}
{% endfor %}
{% for subiface_name, subiface_data in pillar['netbox']['interfaces'].items() %}{% if subiface_data['form_factor']['label'] == 'Virtual' and subiface_name.startswith( iface_name + "." ) %}
{% endif %}{% endfor %}
{% if salt['pillar.get']('interfaces:'+iface_name+':ip') %}
ip {
{{ interface_ip_ospf(iface_name) }}
}
{% endif %}
{% if salt['pillar.get']('interfaces:'+iface_name+':ipv6') %}
ipv6 {
dup-addr-detect-transmits 1
{{ interface_ipv6_ospfv3(iface_name) }}
}
{% endif %}
}
{% endif %}{% endfor %}
}
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- PROTOCOLS -=-=-=-=-=-=-=-=-=-=-=-=-=- */
protocols {
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- RPKI -=-=-=-=-=-=-=-=-=-=-=-=-=- */
rpki {
cache routinator {
address 185.134.197.5
port 3323
}
}
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- OSPF -=-=-=-=-=-=-=-=-=-=-=-=-=- */
ospf {
parameters {
router-id {{ salt['pillar.get']('protocols:ospf:parameters:router-id') }}
abr-type {{ salt['pillar.get']('protocols:ospf:parameters:abr-type','cisco') }}
}
{% for iface_name, iface_data in pillar['netbox']['interfaces'].items() %}{% if salt['pillar.get']('interfaces:'+iface_name+':ip:ospf:passive') %}
passive-interface {{ iface_name }}
{% endif %}{% endfor %}
{% for area_name, area_data in pillar['protocols']['ospf']['area'].items() %}
area {{ area_name }} {
{% for network, network_data in area_data['networks'].items() %}
network {{ network }}
{% endfor %}
}
{% endfor %}
}
ospfv3 {
parameters {
router-id {{ salt['pillar.get']('protocols:ospfv3:parameters:router-id') }}
}
{% for area_name, area_data in pillar['protocols']['ospfv3']['area'].items() %}
area {{ area_name }} {
{% for range, range_data in area_data.get('range',{}).items() %}
range {{ range }} {
}
{% endfor %}
{% for interface, interface_data in area_data.get('interface',{}).items() %}
interface {{ interface }}
{% endfor %}
}
{% endfor %}
}
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- STATIC -=-=-=-=-=-=-=-=-=-=-=-=-=- */
static {
{% for route_name, route_data in pillar['protocols']['static']['route'].items() %}
route {{ route_name }} {
{% for nexthop, nexthop_data in route_data.get('next-hop',{}).items() %}
next-hop {{ nexthop }} {
}
{% endfor %}
{% if route_data.get('blackhole',None) %}
blackhole {
distance {{ route_data['blackhole'].get('distance',254) }}
}
{% endif %}
}
{% endfor %}
{% for route_name, route_data in pillar['protocols']['static']['route6'].items() %}
route6 {{ route_name }} {
{% for nexthop, nexthop_data in route_data.get('next-hop',{}).items() %}
next-hop {{ nexthop }} {
}
{% endfor %}
{% if route_data.get('blackhole',None) %}
blackhole {
distance {{ route_data['blackhole'].get('distance',254) }}
}
{% endif %}
}
{% endfor %}
}
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- BGP -=-=-=-=-=-=-=-=-=-=-=-=-=- */
{% for bgp_as, as_data in salt['pillar.get']('protocols:bgp',{}).items() %}
bgp {{ bgp_as }} {
parameters {
router-id {{ as_data['parameters']['router-id'] }}
}
{% if as_data.get('address-family',None) %}
address-family {
{% if as_data['address-family'].get('ipv4-unicast',None) %}
ipv4-unicast {
redistribute {
{% for redistribute in as_data['address-family']['ipv4-unicast'].get('redistribute',[]) %}
{{ redistribute }} {}
{% endfor %}
}
}
{% endif %}
{% if as_data['address-family'].get('ipv6-unicast',None) %}
ipv6-unicast {
redistribute {
{% for redistribute in as_data['address-family']['ipv6-unicast'].get('redistribute',[]) %}
{{ redistribute }} {}
{% endfor %}
}
}
{% endif %}
}
{% endif %}
{% for neighbor, neighbor_data in as_data.get('neighbor',{}).items() %}
neighbor {{ neighbor }} {
remote-as {{ neighbor_data['remote-as'] }}
{% if 'update-source' in neighbor_data %}update-source {{ neighbor_data['update-source'] }}{% endif %}
{% if 'address-family' in neighbor_data %}
address-family {
{% if 'ipv4-unicast' in neighbor_data['address-family'] %}
ipv4-unicast {
{% if 'prefix-list' in neighbor_data['address-family']['ipv4-unicast'] %}
prefix-list {
{% if 'export' in neighbor_data['address-family']['ipv4-unicast']['prefix-list'] %}export {{ neighbor_data['address-family']['ipv4-unicast']['prefix-list']['export'] }}{% endif %}
{% if 'import' in neighbor_data['address-family']['ipv4-unicast']['prefix-list'] %}import {{ neighbor_data['address-family']['ipv4-unicast']['prefix-list']['import'] }}{% endif %}
}
{% endif %}
{% if 'soft-reconfiguration' in neighbor_data['address-family']['ipv4-unicast'] %}
soft-reconfiguration {
{% for softreconf in neighbor_data['address-family']['ipv4-unicast']['soft-reconfiguration'] %}
{{ softreconf }}
{% endfor %}
}
{% endif %}
}
{% endif %}
{% if 'ipv6-unicast' in neighbor_data['address-family'] %}
ipv6-unicast {
{% if 'prefix-list' in neighbor_data['address-family']['ipv6-unicast'] %}
prefix-list {
{% if 'export' in neighbor_data['address-family']['ipv6-unicast']['prefix-list'] %}export {{ neighbor_data['address-family']['ipv6-unicast']['prefix-list']['export'] }}{% endif %}
{% if 'import' in neighbor_data['address-family']['ipv6-unicast']['prefix-list'] %}import {{ neighbor_data['address-family']['ipv6-unicast']['prefix-list']['import'] }}{% endif %}
}
{% endif %}
{% if 'soft-reconfiguration' in neighbor_data['address-family']['ipv6-unicast'] %}
soft-reconfiguration {
{% for softreconf in neighbor_data['address-family']['ipv6-unicast']['soft-reconfiguration'] %}
{{ softreconf }}
{% endfor %}
}
{% endif %}
}
{% endif %}
}
{% endif %}
}
{% endfor %}
}
{% endfor %}
}
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- POLICY -=-=-=-=-=-=-=-=-=-=-=-=-=- */
policy {
prefix-list hphr-NO-IPv4 {
rule 1 {
prefix 0.0.0.0/0
le 32
action deny
}
}
prefix-list hphr-ALL-IPv4 {
rule 1 {
prefix 0.0.0.0/0
le 32
action permit
}
}
prefix-list hphr-DEFAULT-IPv4 {
rule 1 {
prefix 0.0.0.0/0
action permit
}
rule 2 {
prefix 0.0.0.0/0
le 32
action deny
}
}
prefix-list hphr-DFZ-IPv4 {
rule 100 {
prefix 192.168.0.0/16
description "RFC1918"
le 32
action deny
}
rule 101 {
prefix 172.16.0.0/12
description "RFC1918"
le 32
action deny
}
rule 102 {
prefix 10.0.0.0/8
description "RFC1918"
le 32
action deny
}
rule 103 {
prefix 169.254.0.0/16
description "link-local"
le 32
action deny
}
rule 104 {
prefix 100.64.0.0/10
description "CGNAT"
le 32
action deny
}
rule 105 {
prefix 127.0.0.0/8
description "loopback"
le 32
action deny
}
rule 106 {
prefix 192.0.0.0/24
description "IETF protocol assignments"
le 32
action deny
}
rule 107 {
prefix 192.0.2.0/24
description "TEST-NET-1"
le 32
action deny
}
rule 108 {
prefix 198.18.0.0/15
description "Network interconnect device benchmark testing"
le 32
action deny
}
rule 109 {
prefix 198.51.100.0/24
description "TEST-NET-2"
le 32
action deny
}
rule 110 {
prefix 203.0.113.0/24
description "TEST-NET-3"
le 32
action deny
}
rule 111 {
prefix 224.0.0.0/4
description "multicast"
le 32
action deny
}
rule 112 {
prefix 240.0.0.0/4
description "reserved"
le 32
action deny
}
rule 1000 {
prefix 0.0.0.0/0
le 24
action permit
}
rule 65535 {
prefix 0.0.0.0/0
le 32
action deny
}
}
prefix-list hphr-DFZ-DEFAULT-IPv4 {
rule 10 {
prefix 0.0.0.0/0
action permit
}
rule 100 {
prefix 192.168.0.0/16
description "RFC1918"
le 32
action deny
}
rule 101 {
prefix 172.16.0.0/12
description "RFC1918"
le 32
action deny
}
rule 102 {
prefix 10.0.0.0/8
description "RFC1918"
le 32
action deny
}
rule 103 {
prefix 169.254.0.0/16
description "link-local"
le 32
action deny
}
rule 104 {
prefix 100.64.0.0/10
description "CGNAT"
le 32
action deny
}
rule 105 {
prefix 127.0.0.0/8
description "loopback"
le 32
action deny
}
rule 106 {
prefix 192.0.0.0/24
description "IETF protocol assignments"
le 32
action deny
}
rule 107 {
prefix 192.0.2.0/24
description "TEST-NET-1"
le 32
action deny
}
rule 108 {
prefix 198.18.0.0/15
description "Network interconnect device benchmark testing"
le 32
action deny
}
rule 109 {
prefix 198.51.100.0/24
description "TEST-NET-2"
le 32
action deny
}
rule 110 {
prefix 203.0.113.0/24
description "TEST-NET-3"
le 32
action deny
}
rule 111 {
prefix 224.0.0.0/4
description "multicast"
le 32
action deny
}
rule 112 {
prefix 240.0.0.0/4
description "reserved"
le 32
action deny
}
rule 1000 {
prefix 0.0.0.0/0
le 24
action permit
}
rule 65535 {
prefix 0.0.0.0/0
le 32
action deny
}
}
prefix-list6 hphr-NO-IPv6 {
rule 1 {
prefix ::/0
le 128
action deny
}
}
prefix-list6 hphr-ALL-IPv6 {
rule 1 {
prefix ::/0
le 128
action permit
}
}
prefix-list6 hphr-DEFAULT-IPv6 {
rule 1 {
prefix ::/0
action permit
}
rule 2 {
prefix ::/0
le 128
action deny
}
}
prefix-list6 hphr-DFZ-IPv6 {
rule 100 {
prefix ::/128
description "not self"
action deny
}
rule 101 {
prefix ::1/128
description "self"
action deny
}
rule 102 {
prefix ::ffff:0:0/96
description "IPv4-mapped"
le 128
action deny
}
rule 103 {
prefix ::/96
description "IPv4-compatible"
le 128
action deny
}
rule 104 {
prefix 100::/64
description "RTBH addresses"
le 128
action deny
}
rule 105 {
prefix 2001:10::/28
description "ORCHID addresses"
le 128
action deny
}
rule 106 {
prefix 2001:db8::/32
description "documentation prefix"
le 128
action deny
}
rule 107 {
prefix fc00::/7
description "ULA address"
le 128
action deny
}
rule 108 {
prefix fe80::/10
description "link-local"
le 128
action deny
}
rule 109 {
prefix fec0::/10
description "site-local"
le 128
action deny
}
rule 110 {
prefix ff0e::/16
description "global multicast"
le 64
action permit
}
rule 111 {
prefix ff00::/8
description "multicast"
le 128
action deny
}
rule 1000 {
prefix ::/0
le 64
action permit
}
}
prefix-list6 hphr-DFZ-DEFAULT-IPv6 {
rule 10 {
prefix ::/0
action permit
}
rule 100 {
prefix ::/128
description "not self"
action deny
}
rule 101 {
prefix ::1/128
description "self"
action deny
}
rule 102 {
prefix ::ffff:0:0/96
description "IPv4-mapped"
le 128
action deny
}
rule 103 {
prefix ::/96
description "IPv4-compatible"
le 128
action deny
}
rule 104 {
prefix 100::/64
description "RTBH addresses"
le 128
action deny
}
rule 105 {
prefix 2001:10::/28
description "ORCHID addresses"
le 128
action deny
}
rule 106 {
prefix 2001:db8::/32
description "documentation prefix"
le 128
action deny
}
rule 107 {
prefix fc00::/7
description "ULA address"
le 128
action deny
}
rule 108 {
prefix fe80::/10
description "link-local"
le 128
action deny
}
rule 109 {
prefix fec0::/10
description "site-local"
le 128
action deny
}
rule 110 {
prefix ff0e::/16
description "global multicast"
le 64
action permit
}
rule 111 {
prefix ff00::/8
description "multicast"
le 128
action deny
}
rule 1000 {
prefix ::/0
le 64
action permit
}
}
{% for prefix_list_name, bgpq3_query in salt['pillar.get']("policy:prefix-list",{}).items() %}
prefix-list {{ prefix_list_name }} {
{% set jsonblob = salt['cmd.run']('/tmp/bgpq3 -A -6 -j ' + bgpq3_query["IPv6"], env={'BIND_ADDR':pillar['loopback']['IPv4'], 'BIND_ADDR6':pillar['loopback']['IPv6'], 'LD_PRELOAD':'/tmp/bind.so'})|load_json %}
{% for prefix in jsonblob.NN %}
rule {{ loop.index }} {
action permit
prefix {{ prefix['prefix'] }}
{% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %}
{% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %}
}
{% endfor %}
rule 65535 {
prefix 0.0.0.0/0
le 32
action deny
}
}
{% endfor %}
{% for prefix_list_name, bgpq3_query in salt['pillar.get']("policy:prefix-list",{}).items() %}
prefix-list6 {{ prefix_list_name }} {
{% set jsonblob = salt['cmd.run']('/tmp/bgpq3 -A -6 -j ' + bgpq3_query["IPv6"], env={'BIND_ADDR':pillar['loopback']['IPv4'], 'BIND_ADDR6':pillar['loopback']['IPv6'], 'LD_PRELOAD':'/tmp/bind.so'})|load_json %}
{% for prefix in jsonblob.NN %}
rule {{ loop.index }} {
action permit
prefix {{ prefix['prefix'] }}
{% if prefix.get('less-equal',None) != None %}le {{ prefix['less-equal'] }}{% endif %}
{% if prefix.get('greater-equal',None) != None %}ge {{ prefix['greater-equal'] }}{% endif %}
}
{% endfor %}
rule 65535 {
prefix ::/0
le 128
action deny
}
}
{% endfor %}
}
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- SERVICE -=-=-=-=-=-=-=-=-=-=-=-=-=- */
service {
lldp {
{% for iface_name, iface_data in salt['pillar.get']('service:lldp:interface',{}).items() %}
interface {{ iface_name }} {
}
{% endfor %}
management-address {{ pillar['service']['lldp']['management-address'] }}
}
salt-minion {
id {{ grains['fqdn'] }}
master {{ pillar['service']['salt-minion']['master'] }}
}
snmp {
{% for cty_name, cty_data in salt['pillar.get']('service:snmp:community',{}).items() %}
community {{ cty_name }} {
}
{% endfor %}
trap-source {{ pillar['service']['snmp']['trap-source'] }}
listen-address {{ pillar['service']['snmp']['trap-source'] }}
{% for trap_target, trap_data in salt['pillar.get']('service:snmp:trap-target',{}).items() %}
trap-target {{ trap_target }} {
}
{% endfor %}
}
ssh {
listen-address {{ pillar['service']['ssh']['listen-address'] }}
}
}
/* -=-=-=-=-=-=-=-=-=-=-=-=-=- SYSTEM -=-=-=-=-=-=-=-=-=-=-=-=-=- */
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 9600
}
}
host-name {{ grains['fqdn'] }}
ip {
multipath {
layer4-hashing
}
}
ipv6 {
multipath {
layer4-hashing
}
}
login {
user vyos {
authentication {
encrypted-password $6$fXZ3cwEft1XFJTH$twZmVheX0PEi21KqQfv/zvKhuXVc1UwVVXI3Y7KCXYk0osil3QmJqmAYgNQyNqGUROydxp7R6yiPe4N06QnBH1
plaintext-password ""
}
level admin
}
}
{% for nameserver in pillar['nameservers'] %}
name-server {{ nameserver }}
{% endfor %}
ntp {
{% for ntp_server, ntp_data in pillar['ntp'].items() %}
server {{ ntp_server }} {
}
{% endfor %}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack-sync@1:conntrack@1:dhcp-relay@2:dhcp-server@5:firewall@5:ipsec@5:l2tp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@3:ssh@1:system@11:vrrp@2:vyos-accel-ppp@1:wanloadbalance@3:webgui@1:webproxy@1:webproxy@2:zone-policy@1" === */
/* Release version: 1.2.0-rolling+201904240337 */
