system { host-name {{ switch_name }}; auto-snapshot; domain-name tg23.gathering.org; time-zone Europe/Oslo; /* tacacs primary, failbacks to local users */ authentication-order tacplus; root-authentication { encrypted-password "{{ v.root_pw }}"; ## SECRET-DATA } name-server { {% for n in v.nameservers %} {{n}}; {% endfor %} } tacplus-server { {{ v.tacplusserver }} { secret {{ v.tacplus_secret }}; ## SECRET-DATA source-address {{ v.switch_management.mgmt_v4_addr }}; } } login { user tech { class super-user; authentication { encrypted-password "{{ v.tech_pw }}"; ## SECRET-DATA } } user api { class super-user; authentication { ssh-ed25519 ""; ## SECRET-DATA } } } services { ssh { root-login deny; no-tcp-forwarding; client-alive-count-max 2; client-alive-interval 300; protocol-version v2; connection-limit 50; rate-limit 5; } netconf { ssh { port 830; } } } syslog { user * { any emergency; } host log.tg23.gathering.org { any warning; authorization info; daemon warning; user warning; change-log any; interactive-commands any; match "!(.*License.*)"; allow-duplicates; facility-override local7; explicit-priority; } /* Oxidized syslog */ host 185.110.148.112 { interactive-commands notice; match UI_COMMIT_COMPLETED; source-address {{ v.switch_management.mgmt_v4_addr }}; } /* Local logging of syslog message */ file messages { any notice; /* Fjerner mye graps i loggene */ match "!(.*License.*|.*EX-BCM PIC.*|.*mojito_i2c_read.*|.*qsfp_tk_read_mem_page.*)"; authorization info; } /* Local logging of all user-commands typed in the CLI */ file interactive-commands { interactive-commands any; match "UI_CMDLINE_READ_LINE|UI_COMMIT_COMPLETED"; } } commit synchronize; # Syncer konfigurasjonen til alle members i VC ved commit. Ingen effekt ved commit på single bokser. ntp { /* ntp.uio.no */ server 2001:700:100:2::6; } ports { console log-out-on-disconnect; } } chassis { alarm { management-ethernet { # Sender ikke alarm ved link down på managementinterfacet. link-down ignore; } } aggregated-devices { ethernet { device-count 32; } } } interfaces { interface-range all-ports { member ge-*/*/*; {% if "multirate" in v.switch_tags %} member mge-*/*/*; {% endif %} member xe-*/*/*; member et-*/*/*; } lo0 { unit 0 { family inet { filter { input mgmt-v4; } } family inet6 { filter { input mgmt-v6; } } } } } snmp { contact ""; community {{ v.snmp_community }} { authorization read-only; client-list-name mgmt; } } policy-options { prefix-list mgmt-v4 { } prefix-list mgmt-v6 { } /* Merged separate v4- og v6-lister */ prefix-list mgmt { apply-path "policy-options prefix-list <*>"; } } firewall { family inet { filter mgmt-v4 { term accept-ssh { from { source-prefix-list { mgmt-v4; } destination-port 22; } then accept; } term discard-ssh { from { destination-port 22; } then { discard; } } term accept-all { then accept; } } } family inet6 { filter mgmt-v6 { term accept-ssh { from { source-prefix-list { mgmt-v6; } destination-port 22; } then accept; } term discard-ssh { from { destination-port 22; } then discard; } term accept-all { then accept; } } } } protocols { igmp-snooping { vlan all; } } poe { interface all; }